The RMF addresses the security concerns of organizations related to the design, development, implementation, operation, and disposal of information systems and the environments in which those systems operate. The RMF consists of the following six steps:
Step 1: Categorize the information system based on the information type the system processes, stores, or transmits by using SP 800 -60 and FIPS Publication 199 to determine impact level (Low, Moderate or High);
Step 2: Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance;
Step 3: Implement the security controls and document the design, development, and implementation details for the controls;
Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;
Step 5: Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and
Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards.