A practical guide to implementing NIST SP 800-37 Rev. 2 Risk Management Framework in Australian organisations. Learn how to integrate the seven RMF steps with local frameworks like the ISM, AESCSF, and Essential Eight.
NIST Special Publication 800-37 Revision 2, 'Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy', provides one of the most comprehensive methodologies for managing information security risk. While developed for US federal agencies, the RMF has been adopted globally by organisations seeking a structured, repeatable approach to security governance. For Australian organisations, particularly those in critical infrastructure, government supply chains, or multinational operations, understanding and implementing RMF methodology offers significant benefits - both for improving security outcomes and for demonstrating security maturity to stakeholders who recognise the framework. This guide provides practical implementation guidance for Australian organisations looking to adopt RMF principles, with specific attention to mapping RMF activities to Australian frameworks such as the Information Security Manual (ISM), the Australian Energy Sector Cyber Security Framework (AESCSF), and the Essential Eight. Rather than treating RMF as a compliance checkbox, we focus on extracting genuine security value from its structured approach to risk management.
NIST SP 800-37 Rev. 2 represents a significant evolution from earlier versions, introducing a Prepare step that precedes the traditional six-step process and integrating privacy considerations throughout. The framework now comprises seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Each step includes specific tasks, inputs, outputs, and roles, creating a comprehensive lifecycle approach to security management.
The fundamental premise of RMF is that security should be integrated throughout the system development lifecycle, not bolted on after the fact. This lifecycle approach aligns well with modern DevSecOps practices and recognises that security decisions made early in system design have far greater impact than those made during operations. The framework also introduces the concept of Authorization to Operate (ATO) - a formal decision by an authorising official that accepts the residual risk of operating a system. This accountability mechanism ensures that risk decisions are made explicitly by individuals with appropriate authority, rather than defaulting to implicit acceptance through inaction.
Revision 2 introduced several important changes that Australian organisations should understand. The addition of the Prepare step acknowledges that organisations need to establish foundational capabilities before beginning system-level RMF activities. This includes defining organisational risk tolerance, establishing governance structures, and identifying common controls that can be inherited across multiple systems. Privacy integration is another major change. The framework now addresses both security and privacy risks, recognising that modern information systems process personal information that requires protection beyond traditional confidentiality, integrity, and availability concerns. For Australian organisations, this aligns with Privacy Act requirements and the increasing expectations of the Office of the Australian Information Commissioner. The revision also emphasises supply chain risk management and the need to consider security throughout the acquisition and development process - relevant for organisations managing vendor relationships and third-party integrations.
While NIST documentation provides detailed task descriptions for each step, practical implementation requires understanding how these steps translate to organisational activities. The following guidance addresses each step from an implementation perspective, focusing on decisions and activities that determine success.
The Prepare step establishes the context and preconditions for effective risk management. At the organisational level, this involves defining risk tolerance, establishing governance structures, and identifying roles and responsibilities. At the system level, preparation includes understanding the system's purpose, identifying stakeholders, and determining what common controls can be inherited from the organisation or other systems. For Australian organisations, the Prepare step should include mapping RMF roles to existing governance structures. The Authorising Official role, for example, maps naturally to executives accountable for risk acceptance under SOCI Act obligations or organisational risk management policies. Common controls should be identified early - security capabilities that apply across multiple systems can be assessed once and inherited by individual systems, significantly reducing effort. Documenting the system boundary is critical during preparation. A poorly defined boundary creates confusion about what is in scope for assessment and authorisation. Include all components necessary for the system to perform its function, including infrastructure, interfaces, and supporting services.
Categorization determines the security impact level of the system based on the potential consequences of security breaches. NIST defines three impact levels (Low, Moderate, High) across three security objectives (Confidentiality, Integrity, Availability). The highest impact level across all objectives becomes the system's overall categorisation. For Australian organisations, the categorisation process should consider both the NIST methodology and local classification requirements. Government systems may have security classifications (OFFICIAL, PROTECTED, etc.) that inform categorisation. Critical infrastructure systems should consider SOCI Act implications - a ssets designated as critical infrastructure warrant higher categorisation regardless of technical factors. Practical categorisation requires business input, not just technical assessment. Engage stakeholders who understand the business impact of system compromise. What would be the consequence of sensitive data being disclosed? Of data integrity being compromised? Of the system being unavailable for extended periods? These questions determine categorisation, not technical architecture alone.
Control selection involves choosing the security controls that will protect the system, based on its categorisation and specific risk factors. NIST SP 800-53 provides a comprehensive control catalogue, with baseline control sets for each impact level that organisations can tailor based on their environment. For Australian organisations, control selection should consider multiple framework requirements simultaneously. ISM controls, Essential Eight requirements, and AESCSF capabilities (for energy sector organisations) can be mapped to NIST controls. Rather than implementing separate control sets for each framework, select controls that satisfy multiple requirements. This unified approach reduces implementation burden and eliminates conflicting control implementations. Tailoring is essential - do not simply adopt NIST baselines without considering Australian context. Some NIST controls address US-specific requirements that may not apply. Conversely, Australian requirements may necessitate controls beyond NIST baselines. Document tailoring decisions with clear rationale to support assessment and authorisation activities.
Implementation involves deploying the selected controls within the system and its operational environment. This step is where security requirements translate to actual configurations, procedures, and capabilities. Effective implementation requires collaboration between security professionals and system administrators or developers. Implementation should be documented in detail. The System Security Plan (SSP) describes how each control is implemented - not just that a control exists, but specifically how it operates in this system. For inherited controls, document the inheritance relationship and any system-specific implementation details. This documentation supports assessment activities and provides operational guidance for system administrators. Implementation is also where integration with existing security infrastructure occurs. Identity and access management, logging and monitoring, network security, and endpoint protection capabilities may be provided by organisational systems rather than implemented within the specific system boundary. Document these dependencies and ensure interface requirements are clearly understood.
Assessment evaluates whether controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Assessment can be performed by internal teams or independent assessors, with independence requirements increasing for higher-impact systems. Assessment should produce evidence, not just opinions. For technical controls, assessment includes testing - vulnerability scanning, configuration review, penetration testing where appropriate. For procedural controls, assessment examines documentation and interviews personnel to verify procedures exist and are followed. Assessment findings should be specific and actionable, identifying exactly what deficiencies exist and how they can be remediated. For Australian organisations subject to ISM requirements, IRAP assessments may satisfy RMF assessment requirements for relevant controls. Similarly, AESCSF maturity assessments provide evidence of control implementation that can inform RMF assessment activities. Leverage existing assessment activities rather than duplicating effort.
Authorisation is the formal decision to accept the risk of operating the system. The Authorising Official reviews the security assessment results, understands the residual risk, and makes an explicit decision to authorise operation. This decision is documented in an Authorisation to Operate (ATO) with defined scope and conditions. The ATO concept is valuable even for organisations not formally implementing RMF. Having an accountable individual explicitly accept risk - rather than systems operating under implicit acceptance - ensures risk decisions receive appropriate attention. For critical infrastructure operators, this aligns with SOCI Act requirements for executive accountability. Authorisation should not be indefinite. Traditional RMF implementations used time-limited ATOs (typically three years) requiring reauthorisation. Modern approaches favour continuous authorisation based on ongoing monitoring, with formal reauthorisation triggered by significant changes rather than arbitrary timeframes. Determine the approach that fits your organisational context and governance requirements.
Continuous monitoring maintains ongoing awareness of security posture and ensures that changes to the system or threat environment are identified and addressed. Monitoring is not simply running security tools - it involves assessing control effectiveness over time, tracking changes to the system and environment, and maintaining the information needed for ongoing authorisation decisions. Effective monitoring requires automation. Configuration management tools verify that systems remain in their authorised state. Vulnerability scanning identifies new weaknesses as they emerge. Security information and event management (SIEM) platforms aggregate and analyse security events. These automated capabilities should feed into human processes for analysis and decision-making. Continuous monitoring should inform ongoing authorisation. When monitoring identifies significant changes or new risks, the Authorising Official should be informed and may need to make new risk acceptance decisions. This ongoing accountability ensures that authorisation remains meaningful rather than becoming a historical artefact.
Australian organisations typically operate under multiple framework requirements, making mapping between frameworks essential for efficient compliance. RMF provides a comprehensive risk management methodology that can incorporate requirements from Australian frameworks, creating a unified approach to security governance.
The ISM provides security controls for Australian government systems and organisations handling government information. ISM controls map naturally to NIST SP 800-53 controls, as both frameworks address similar security domains. Organisations can use RMF as their risk management methodology while implementing ISM controls as their control baseline. The ISM's security classification system (OFFICIAL, PROTECTED, SECRET, TOP SECRET) can inform RMF categorisation decisions. Systems handling PROTECTED information, for example, warrant at least Moderate categorisation across all security objectives. ISM assessment requirements align with RMF assessment activities, and IRAP assessments can provide evidence for RMF authorisation decisions. For organisations pursuing both ISM compliance and RMF implementation, establish a single control implementation that satisfies both frameworks. Use the ISM as your control catalogue and RMF as your risk management methodology. This avoids the complexity of maintaining separate compliance programs.
The Australian Energy Sector Cyber Security Framework is built on the NIST Cybersecurity Framework, making alignment with RMF straightforward. AESCSF's five functions (Identify, Protect, Detect, Respond, Recover) align with RMF's comprehensive control coverage, and the maturity model approach of AESCSF complements RMF's risk-based control selection. Energy sector organisations can use RMF as their system-level risk management methodology while using AESCSF for organisational maturity assessment and sector-specific reporting. The AESCSF maturity assessment provides evidence that supports RMF assessment activities, and AESCSF governance requirements align with RMF's Prepare step activities. CIRMP requirements under the SOCI Act add another dimension. RMF implementation can demonstrate the cyber security risk management program required by CIRMP, with the Authorising Official role mapping to the executive accountability expected for critical infrastructure assets. Document how RMF implementation satisfies CIRMP cyber security requirements.
The Essential Eight provides prioritised mitigation strategies that should be implemented regardless of framework choice. For RMF implementations, Essential Eight controls should be included in control baselines for all systems, with maturity level targets based on system categorisation and organisational risk tolerance. Essential Eight controls map to specific NIST SP 800-53 controls. Application control maps to CM-7 (Least Functionality) and CM-11 (User-Installed Software). Patching requirements map to SI-2 (Flaw Remediation). Multi-factor authentication maps to IA-2 (Identification and Authentication). This mapping allows organisations to include Essential Eight requirements in their RMF control baselines and assess them through the same methodology. For organisations required to report Essential Eight maturity levels, RMF assessment activities can provide the evidence needed. Assessment of relevant controls demonstrates maturity level achievement, and the continuous monitoring step ensures ongoing maturity is maintained.
Full RMF implementation is a substantial undertaking that many organisations struggle to complete effectively. Understanding common challenges and practical solutions enables more successful implementations.
RMF requires extensive documentation, including System Security Plans, assessment reports, and authorisation packages. For organisations without established documentation practices, this burden can seem overwhelming. The solution is to treat documentation as operational artefact rather than compliance paperwork. System Security Plans should describe how systems actually operate - useful for administrators, incident responders, and anyone who needs to understand the system. When documentation serves operational purposes, maintaining it becomes part of normal operations rather than a separate compliance activity. Automation also reduces documentation burden. Configuration management tools can generate current-state documentation automatically. Assessment tools produce evidence that populates assessment reports. The goal is documentation that reflects reality because it is generated from reality, not documentation that is manually maintained and inevitably drifts from actual system state.
Comprehensive RMF implementation requires security expertise, time, and budget that many organisations struggle to allocate. The key is prioritisation based on risk. Not all systems require the same level of RMF rigour. High-impact systems warrant comprehensive implementation; lower-impact systems can use streamlined approaches. Focus resources where risk is highest. Common controls significantly reduce per-system effort. When security capabilities like identity management, logging, and network security are implemented once and inherited by multiple systems, the per-system implementation and assessment burden decreases substantially. Invest in organisational capabilities that benefit all systems. Phased implementation also helps manage resource constraints. Begin with the Prepare step to establish foundational capabilities, then implement RMF for new systems or systems undergoing major changes. Existing systems can be brought into RMF compliance over time based on risk priority and natural refresh cycles.
RMF implementation often faces resistance from system owners who perceive it as bureaucratic overhead that slows delivery. Addressing this resistance requires demonstrating value and streamlining processes where possible. The Authorising Official role, when properly implemented, provides clear accountability for risk decisions. This benefits system owners by clarifying who is responsible for accepting risk - the answer is not 'security' or 'the system owner' but a specific individual with appropriate authority. This clarity can actually accelerate decision-making by eliminating ambiguity. Integrating RMF with agile and DevOps practices also reduces resistance. Continuous monitoring and ongoing authorisation fit better with iterative development than traditional time-limited ATOs. Security assessment can be integrated into deployment pipelines. When RMF supports rather than impedes delivery, resistance decreases.
Organisations new to RMF should not attempt comprehensive implementation across all systems simultaneously. A pragmatic approach starts with foundational activities and expands incrementally.
Begin with the Prepare step at the organisational level. Define your organisation's risk tolerance and document it. Establish governance structures, including identifying who will serve as Authorising Officials for different system types. Create a control catalogue that incorporates requirements from all applicable frameworks -ISM, AESCSF, Essential Eight, and any sector-specific requirements. Identify common controls that will be provided organisationally. Identity and access management, security monitoring, network security, and endpoint protection are typically organisational capabilities that individual systems inherit. Document these common controls and establish processes for systems to inherit them.
Select a pilot system for full RMF implementation. Choose a system that is representative of your environment but not so critical that delays would be catastrophic. Work through all seven steps with this pilot, documenting lessons learned and refining processes. The pilot will reveal gaps in your organisational preparation - controls you thought were common but actually vary by system, documentation requirements you had not anticipated, assessment approaches that do not work in your environment. Address these gaps before expanding to additional systems.
Expand RMF implementation to additional systems based on risk priority. High-impact systems and systems undergoing major changes should be prioritised. As you implement RMF for more systems, look for opportunities to further develop common controls and streamline processes. Establish metrics that demonstrate RMF value - time from control selection to authorisation, deficiencies identified and remediated through assessment, risk decisions made explicitly by Authorising Officials. These metrics support ongoing investment in RMF implementation and demonstrate security program maturity to stakeholders.
Australian critical infrastructure operators face specific requirements that RMF implementation can address. The SOCI Act requires critical infrastructure risk management programs, and RMF provides a structured methodology for the cyber security component of these programs. The executive accountability required by SOCI aligns with the Authorising Official role in RMF. When an Authorising Official makes an explicit decision to authorise system operation, they are accepting accountability for residual risk - exactly the type of decision-making SOCI expects from critical infrastructure operators. Systems of National Significance (SoNS) face enhanced requirements including vulnerability assessments and incident response planning. RMF's assessment step provides methodology for ongoing vulnerability assessment, and the documentation requirements support incident response planning by ensuring system architecture and security controls are well understood. For critical infrastructure organisations, RMF implementation demonstrates security program maturity to regulators, insurance providers, and other stakeholders. While SOCI does not mandate RMF specifically, implementing a recognised risk management framework provides evidence that security is being managed systematically and professionally.
NIST SP 800-37 Rev. 2 provides a comprehensive methodology for managing information security risk throughout the system lifecycle. For Australian organisations, RMF offers a structured approach that can incorporate local requirements from the ISM, AESCSF, and Essential Eight into a unified security program. Implementation requires investment in foundational capabilities, documentation practices, and governance structures, but the result is a security program with clear accountability, comprehensive coverage, and ongoing assurance through continuous monitoring. Rather than viewing RMF as a compliance burden, organisations should recognise it as a tool for managing security risk effectively. The framework's emphasis on explicit risk acceptance, documented controls, and ongoing monitoring addresses real security management challenges. By implementing RMF pragmatically - starting with foundational activities, piloting with representative systems, and expanding based on risk priority -Australian organisations can achieve both improved security outcomes and demonstrable compliance with multiple framework requirements.
Our team has extensive experience helping Australian organisations implement structured risk management approaches that integrate with local framework requirements.
Related Projects
Developed an enterprise security architecture model using ArchiMate notation to establish traceability from regulatory drivers through security principles, controls, and technical implementations. The model aligns NIST CSF, AESCSF, and ISO 27001 frameworks with organisational capabilities and threat scenarios.
Developed a comprehensive identity and access management strategy for a Queensland clean energy generator, establishing a unified approach to identity governance across corporate IT and operational technology environments. The engagement delivered an IAM relationship model, persona-based access controls, and a roadmap aligned to AESCSF and IEC 62443 requirements.
Related Reading
Navigate the Australian Energy Sector Cyber Security Framework with actionable guidance on C2M2-based domains, maturity levels, and building a sustainable compliance program aligned with the SOCI Act.
Zero trust has become a marketing term often divorced from practical implementation. Cut through the hype to understand what the ISM actually requires and how to implement zero trust principles pragmatically.
Multiple security frameworks exist, each with different strengths. Understand when to use NIST CSF, ISO 27001, or Essential Eight, and how to combine them effectively for Australian organisations.