****National Institute of Standards and Technology (NIST) 800-37 offers guidelines for the application of Risk Management Framework (RMF) to information systems. The guideline defines RMF roles, responsibilities, and lifecycle processes for systems and organizations. RMF offers a flexible structured process for security and privacy risk management. This process covers IT categorization; implementation, controls, and assessment; system and common control authorizations; and continuous monitoring.
The RMF also prepares organizations to mitigate risk. IT common control authorization provides senior leaders and executives with the necessary information to make cost-effective risk management decisions. RMF also incorporates security and privacy into the development lifecycle. RMF management process tasks are linked from the system level to risk management organization level. In addition, RMF establishes responsibility and accountability for organizational IT system controls and those inherited by their systems.