The National Institute of Science and Technology Risk Management Framework (RMF) (NIST SP 800-37 Rev. 2) is an informative guide to use when implementing a risk management plan. The RMF is a process that combines security and risk management as part of a systems development life cycle. It follows seven steps:

1. Prepare Step—Includes all the required activities that help prepare an organization to manage its security and privacy risks
2. Categorize Step—Involves categorizing the system and any information processed, stored, and transmitted
3. Select Step—Involves the setup of an initial set of baseline controls for the system, based on the security categorization
4. Implement Step—Implements the security controls and documents how the controls are used within the system of operation
5. Assess Step—Pertains to assessing the security controls using appropriate methods to determine the extent to which they were implemented and checking to ensure the controls work as intended and with the correct outcomes
6. Authorize Step—Authorizes the operation of the system based on a determination of the risk to the organization’s operations and assets, people, technology, other organizations, and the nation to ensure that the risk is acceptable to them
7. Monitor Step—Focuses on continually monitoring and assessing the selected security controls, assessing the effectiveness of the security controls, documenting changes to the system’s operation, conducting security impact analyses of the changes, and reporting the security state of the system