Why the Sixth Step in the Risk Management Framework (RMF) is the Most Important.


In this paper, I will define the sixth step (monitor) in the Risk Management Framework (RMF), provide information about it using multiple government documents, explain its importance, as well as outline the possible complications involved if the step is not introduced or completed in its entirety. Finally, I will offer some real-world examples of why the monitoring step is vital to the continuation of the security advancements that a finished RMF offers, what a properly designed monitoring program can provide (such as disaster recovery and forensic analysis), as well as explain why, in my opinion, the monitoring step is the most essential phase in the RMF.

While it may seem like the last step of the Risk Management Framework (RMF) has the least amount of importance (due to its location in the structure), I believe that step six, the monitoring phase, holds the most vital and necessary impact on the entire process. The monitoring step continuously observes the security mechanisms, policies, and procedures in the information system, including evaluating control efficiency, ensuring proper documentation on all changes and revisions are completed, performing analyses of each change’s impact on the system, and informing appropriate officials in the organization of the state of security and risk.

Per SP 800-39, “Managing Information Security Risk: Organization, Mission, and Information System View,” the monitoring step enables organizations to authenticate the compliance, effectiveness, and results of the previous five steps (NIST, 2011). As the last step in the RMF, the majority of the work has already been completed; however, without the continued monitoring of the accomplished identification of associated risks, as well as the measures put in place to protect against them, the benefits of the entire system are rendered meaningless, regardless of the complexity and success of each prior step.

In SP 800-37 (Revision 2), “Risk Management Framework for Information Systems and Organizations,” the monitoring step is broken down into well-defined tasks. After the completion of each of the five previous steps in the RMF, the information system, as well as the environment, need to be monitored at all times, show the effectiveness of applied changes, as well as understand what changes worked as intended and which might need revisions. Actively monitoring is beneficial, but performing security assessments on the newly-designed system is required to maintain constant confidence in the RMF’s design and updates. With the necessary, never-ending involvement in supporting the RFM and its improvements in reducing risk, compiling proper documentation is vital for both enforcing monitoring activities as well as keeping organizational leaders informed of the progress (NIST, 2018).

By using risk monitoring tools, vulnerability scanning, researching emerging technologies that could be beneficial if added into the current RMF, as well as automation of security controls, a monitoring program and schedule can be formulated, thus ensuring the constant supervision and upkeep of all implemented RMF aspects. The monitoring step of the RMF, being the last phase of the entire process, serves as a final examination; it ensures that all of the previous steps have had their risk assessments measured and tested accurately, as well as confirms that the risk-prevention procedures have been correctly enforced (NIST, 2011).

Step six of the RMF, if not performed at the same level of attention as the other steps, can inevitably eliminate the effectiveness of all risk-reduction procedures, as any changes to an organizational structure, whether physical or digital, require ongoing maintenance, analytics, and tests to ensure that the changes are regularly enforced and performing as intended. Without the proper and continuous collection of documentation regarding the five steps of the RMF’s changes and successes, as well as the ongoing maintenance and testing of the included modifications and updates, future security professionals assigned to carrying out the RMF’s objectives will be unclear on the instructions, and in the event of a disaster, bug, legal issue, or system failure, will have a difficult time detailing what happened, who was responsible, and more importantly, what to do to fix the flaw or vulnerability.

Proper documentation, in my opinion, is far more imperative than even completing a task correctly, depending on the situation of course. For example, if the results of a project are not satisfactory, I can go back and see exactly where someone made a mistake using the associated changelog (documentation). Then, I can use that information to instruct the individual who made the mistake on what they did wrong, and more importantly, how to prevent from doing it in the future; for the RMF, if proper documentation is fulfilled, you can immediately find the root cause for a sudden software issue or even assist computer forensic personnel in their retrieval of valuable and evidentiary material (EM) during an investigation (Whitman, 2016).

The RMF is an excellent method to categorize, select, implement, assess, authorize, and monitor risk management, in that it utilizes each of the six steps to strengthen information security and risk management processes, as well as facilitates the discussion and exchange between an organization and federal agencies, in the goal for improving an infrastructure’s cybersecurity by reducing risk. Similar to a chain, one weak link can diminish the integrity of the entire structure. In the RMF, each of the six stages is vital to the success of the whole operation, with the sixth monitoring step holding the responsibility for the continuation of each of the previous steps, as well as enforcing the constant visibility, reporting, and testing of the RMF by trained professionals.


Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.

Joint Task Force. (2018, December). NIST Special Publication 800-37: Risk Management Framework for Information Systems and Organizations. Retrieved December 3, 2019, from

Joint Task Force. (2011, March). NIST Special Publication 800-39: Managing Information Security Risk. Retrieved December 3, 2019, from

Categories: Security

Tagged as: , ,

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s