NIST SP 800-37 Rev 2 · DoD ATO · eMASS

Risk Management Framework — a practitioner-grade implementation guide

RMF is seven sequential steps that culminate in an Authorizing Official's risk-based decision to grant Authorization to Operate. This guide explains what each step actually produces, where most programs accumulate risk, and what an assessment-ready authorization package looks like.

Three things every RMF program should get right in the first 90 days

  • Categorize honestly — over-categorization wastes years of effort; under-categorization fails the SAR.
  • Document as you build — the SSP is dramatically cheaper to write while the system is being implemented than after the fact.
  • Inherit aggressively — every control inherited from a FedRAMP platform or shared service is a control you do not have to author and re-assess.

01 — The framework

The seven RMF steps and what each actually produces

Per NIST SP 800-37 Rev 2. Each step has defined inputs, outputs, and roles. The order matters — skipping Prepare or rushing Categorize creates compounding rework later in the lifecycle.

01

Prepare

Establish organizational risk tolerance, identify key roles (System Owner, ISSO, ISSE, AO), inventory system components, and document supporting policies. This step is often skipped — and that is exactly where most ATO programs accumulate technical debt that surfaces later as scope creep.

02

Categorize

Apply FIPS 199 / NIST SP 800-60 to set the system impact level — Low, Moderate, or High across confidentiality, integrity, and availability. The overall categorization drives the control baseline. Over-categorize and you carry unnecessary cost; under-categorize and you fail assessment.

03

Select

Pick the corresponding NIST SP 800-53 control baseline. Tailor as needed — supplement with overlays (Privacy, CUI, Classified), tailor out controls with documented justification, add compensating controls where the baseline does not fit operational reality.

04

Implement

Stand up the controls. Document implementation status in the SSP per control. Capture inherited controls explicitly with shared-responsibility statements from external service providers. The implementation phase is where most calendar time gets spent — and where document-as-you-build is dramatically cheaper than document-after-the-fact.

05

Assess

Independent assessor evaluates control implementation against the SAR methodology. Outputs are formal findings and recommended POAM entries. The pre-assessment readiness review is the single most underrated step in RMF — running a dry-run with internal or partner assessors catches 60–80% of findings before they hit the formal SAR.

06

Authorize

Authorizing Official (AO) makes the risk-based decision: ATO, Provisional ATO, Interim Authorization to Test, or Denial. The AO signs the Authorization Decision Document; the system can operate within the boundaries described. ATOs are typically 3 years, with reauthorization triggered by significant change or schedule.

07

Monitor

Continuous monitoring — configuration baseline drift detection, vulnerability scanning, log review, control effectiveness validation. Monitoring evidence feeds annual control reviews and the next reauthorization. Most RMF programs erode here, not in the initial authorization. Build the monitoring discipline at Implement, not after Authorize.

02 — The artifacts

What a complete ATO package actually contains

A package the Authorizing Official can sign is more than a binder of templates. These are the artifacts an experienced AO and an independent assessor expect to see — and the ones most commonly weak in first-time packages.

System Security Plan (SSP)

The system narrative. Describes the boundary, components, data flows, and implementation status of every applicable control. The SSP is the document the assessor reads to understand the system. A weak SSP is the most common cause of SAR findings.

Security Assessment Report (SAR)

The independent assessor's evaluation. Lists every assessed control with status (Satisfied, Other Than Satisfied, Not Applicable), evidence reviewed, findings, and recommended POAM entries. The SAR plus the SSP plus the POAM constitute the core authorization package.

Plan of Action and Milestones (POAM)

Every unresolved finding with target completion date, owner, and resource estimate. The POAM is a living document — closed items archive, new items appear from monitoring. AOs use POAM volume and aging as a primary risk signal.

Authorization Decision Document

The AO's signed authorization. States the system, the boundary, the ATO term, conditions and limitations, and the residual risk the AO has accepted. This is the artifact that legally permits the system to operate.

Continuous Monitoring Strategy

How the system stays authorized. Defines monitoring cadence by control family, vulnerability scanning approach, configuration baseline validation, log review responsibilities, and the triggers for reauthorization. Often the weakest artifact in initial packages and the one most exposed at refresh.

Inherited-Control Documentation

Shared-responsibility statements from external service providers (FedRAMP cloud, managed security service, identity provider). Each inherited control needs explicit evidence the provider implements it and explicit documentation of the boundary between provider and customer responsibility.

03 — Common failure modes

Where most RMF programs accumulate risk

Weak SSP authored late

The SSP is written by program-management staff who do not understand the technical implementation, reviewed by technical staff who do not understand the assessment methodology, then handed to the assessor. The SAR comes back with dozens of “Other Than Satisfied” findings, the schedule slips two quarters, and the program loses momentum.

POAM theatre

Every control marked Implemented on the dashboard to satisfy program leadership. Independent assessment exposes the gap. The POAM balloons. The AO's confidence in the package collapses regardless of how much remediation follows.

Continuous monitoring drift

ATO is granted; the system changes; monitoring evidence stops being collected; three years later reauthorization discovers years of accumulated drift. This is the single most common cause of failed reauthorization — and the most preventable.

04 — Related

Where RMF connects

CMMC Level 2

The contractor-side cousin of RMF — shares the NIST 800-171 control derivative.

CUI enclave architecture

For systems where the authorization boundary is a defined CUI handling enclave.

All services

Cybersecurity, infrastructure, quality, and governance — the full pillar map.

05 — Questions

RMF — frequently asked

What is the Risk Management Framework (RMF)?

RMF is the NIST process — codified in SP 800-37 Rev 2 — for selecting, implementing, assessing, and authorizing security controls on federal information systems. It is the backbone of how the DoD and federal civilian agencies grant Authorization to Operate (ATO) for systems handling government data. The framework is seven sequential steps (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor), each producing specific artifacts that feed the authorization decision.

How long does an RMF ATO take?

Highly variable. A new system going through RMF from scratch typically takes 12 to 24 months end-to-end if the team has done it before; first-time programs frequently slip to 24–36 months. A reauthorization (existing ATO refresh) is typically 4 to 9 months. A system inheriting controls from a FedRAMP Moderate or High platform can compress significantly because Prepare and Implement are largely pre-completed. The dominant variable is not technology — it is documentation discipline.

What is in an ATO package?

At minimum: the System Security Plan (SSP) describing the system, boundary, and control implementation; the Security Assessment Report (SAR) documenting independent assessor findings; the Plan of Action and Milestones (POAM) listing every unresolved finding with target dates; the Authorization Decision Document signed by the Authorizing Official (AO); and the Continuous Monitoring strategy. Supporting artifacts include the system categorization (FIPS 199 / NIST 800-60), control tailoring justifications, configuration baselines, contingency plans, IR plans, and inherited-control statements from external service providers.

What are the FIPS 199 categorization levels?

FIPS 199 categorizes systems on three security objectives — confidentiality, integrity, availability — at one of three impact levels: Low, Moderate, or High. The overall system categorization is the highest impact level across the three objectives. The categorization drives the control baseline selected from NIST SP 800-53 (Low baseline, Moderate baseline, or High baseline) and is the most consequential decision early in the RMF process — over-categorizing inflates control burden, under-categorizing fails the authorization assessment.

What is the difference between RMF and FedRAMP?

FedRAMP is a specific RMF application: it standardizes RMF for cloud service providers selling to federal agencies. A FedRAMP-authorized cloud (Moderate or High) is a system that completed RMF with a designated Joint Authorization Board (JAB) or Agency authorization. Federal systems built ON a FedRAMP cloud inherit the cloud's controls and run their own narrower RMF for the application layer. FedRAMP is RMF with extra rigor at the cloud-provider tier.

How does RMF relate to CMMC?

They are different but compatible. RMF is for government-owned or government-authorized systems (federal agency systems, federal contractor systems handling federal data inside a federal boundary). CMMC is for non-federal contractor systems handling Controlled Unclassified Information outside a federal boundary. NIST SP 800-171 (the CMMC L2 baseline) was derived from SP 800-53 (the RMF baseline), so the underlying controls overlap substantially. A contractor with strong RMF experience generally has a head start on CMMC — and vice versa.

What is eMASS and what role does it play?

The Enterprise Mission Assurance Support Service (eMASS) is the DoD's authoritative system of record for RMF authorization packages. ATO documentation, control implementation statements, assessment results, POAMs, and authorization decisions are all maintained in eMASS for DoD systems. Federal civilian agencies use analogous tools — CSAM at the Department of Justice, RSA Archer at several others. Mastering eMASS workflow is a meaningful productivity multiplier for any RMF practitioner working DoD systems.

Where do most RMF ATOs fail or stall?

Three patterns. (1) Weak SSP — written by people who do not understand the system, reviewed by people who do not understand the assessment methodology, fails at SAR. (2) POAM theatre — every control marked "Implemented" to look good on the dashboard, then exposed during independent assessment as not actually implemented. (3) Continuous monitoring drift — initial ATO is granted, the system changes, monitoring evidence stops being collected, the next reauthorization discovers years of accumulated drift. MacTech's engagements concentrate on these three because they are where program risk actually lives.

RMF programs succeed or fail at Prepare and Implement — not at Authorize

MacTech directors have led RMF programs for DoD systems for years. The work that matters happens in the first 90 days and continues through monitoring. Talk to us early — before categorization is locked in.

Talk to MacTechView leadership