Establishes security and privacy controls for systems and organizations

 The RMF establishes security and privacy controls for systems and organizations. It contains more than 800 controls to select from, many of which don't apply to embedded systems. It is up to the program office or federal agency to go through all the RMF controls and determine which apply. The RMF controls come in a series of NIST and Federal Information Processing Standards (FIPS) documents Guide for Applying the Risk Management Framework to Federal Information Systems Security and privacy controls for Federal Information Systems and Organizations; and standards for Security Categorization of Federal Information and Information Systems.

The Committee on National Security Systems has produced CNSSI-1253 to provide guidance on selecting RMF controls for national security systems (NSS). computer engineering jobs should be reviewed along with SP800-53 in cases where the system is classified as crucial to national security.

The RMF contains 20 families of controls, ranging from access control to supply chain risk management. Some of the controls focus primarily on security functionality while other controls focus on assurance. Some controls can support functionality and assurance.