logo
Sign UpSign InTry for free
NIST COMPLIANCE CHECKLIST

NIST compliance checklist

A practical NIST compliance checklist focused on the SP 800-37 Rev 2 Risk Management Framework: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. The seven-step cadence that drives federal Authority to Operate decisions.

Official source:

Read the official NIST Cybersecurity Framework site
Download the checklist (PDF)Download DOCX
Who must comply with NIST RMF

Who NIST RMF applies to

US federal agencies and contractors that build, operate, or host federal information systems. The broader NIST CSF and SP 800-171 also apply outside government (especially for DoD contractors and critical-infrastructure operators).

Jurisdiction: US federal information systems and the contractors that build them. Full name: NIST Risk Management Framework (SP 800-37 Rev 2).

NIST RMF Checklist

The NIST RMF compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDFDownload DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

  1. STEP 1

    Prepare: establish the risk-management context - roles, risk tolerance, common controls, and continuous-monitoring strategy (added as Step 1 in SP 800-37 Rev 2).

  2. STEP 2

    Identify and define the information system boundary.

  3. STEP 3

    Categorize the system using FIPS 199 (Low / Moderate / High for confidentiality, integrity, availability).

  4. STEP 4

    Select the baseline controls from NIST SP 800-53 Rev 5 matched to the FIPS 199 categorisation.

  5. STEP 5

    Tailor and supplement the baseline based on system-specific risk.

  6. STEP 6

    Implement controls and document them in the System Security Plan (SSP).

  7. STEP 7

    Assess control implementation per NIST SP 800-53A using an independent assessor.

  8. STEP 8

    Develop a Plan of Action and Milestones (POA&M) for any residual findings.

  9. STEP 9

    Authorizing official reviews the authorization package and makes the ATO decision.

  10. STEP 10

    Operate under the ATO and run continuous monitoring on the configured cadence.

  11. STEP 11

    Re-authorize at the boundary of significant change or the end of the authorization term.

FILLABLE PDF PREVIEW

NIST RMF compliance checklist

NIST Risk Management Framework (SP 800-37 Rev 2)

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Prepare: establish the risk-management context - roles, risk tolerance, common controls, and continuous-monitoring strategy (added as Step 1 in SP 800-37 Rev 2).

Identify and define the information system boundary.

Categorize the system using FIPS 199 (Low / Moderate / High for confidentiality, integrity, availability).

Select the baseline controls from NIST SP 800-53 Rev 5 matched to the FIPS 199 categorisation.

Tailor and supplement the baseline based on system-specific risk.

+ 6 more checkboxes in the downloaded PDF
NIST RMF Process Map

NIST RMF as a process map

The NIST RMF Rev 2 cycle - Prepare opens the cadence; the Assess → Authorize transition is the gate; the Monitor step is what keeps the ATO alive.

Open in editor

NIST Risk Management Framework cycle

A NIST Risk Management Framework (RMF, SP 800-37 Rev 2) compliance cycle rendered as a BPMN 2.0 process map. Seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor - the cadence federal agencies and contractors run to obtain and maintain an Authority to Operate (ATO).

  1. Prepare: establish organisation- and system-level context (roles, risk tolerance, common controls) - added in SP 800-37 Rev 2.
  2. Categorize the information system per FIPS 199.
  3. Select baseline controls from NIST SP 800-53.
  4. Implement controls and document them in the System Security Plan.
  5. Assess control implementation per NIST SP 800-53A.
  6. Authorizing official reviews the package; if risk is acceptable, the Authority to Operate (ATO) is granted.
  7. Continuous monitoring keeps the system in an authorized state.
NIST RMF FAQ

Frequently asked questions

What is the difference between the NIST RMF and the NIST CSF?

The RMF (SP 800-37 Rev 2) is a seven-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) for managing risk to federal information systems and supports the ATO process. The Cybersecurity Framework (CSF 2.0, released February 2024) is an outcome-oriented framework with six functions - Govern (added in 2.0), Identify, Protect, Detect, Respond, Recover - used widely outside government. The RMF is a "how to authorise an information system" process; the CSF is a "how to organise cybersecurity outcomes" framework.

How does NIST SP 800-171 fit in?

SP 800-171 is the protection requirements for Controlled Unclassified Information (CUI) in non-federal systems. It's the substrate of CMMC Level 2. SP 800-53 (federal systems) and SP 800-171 (non-federal CUI custodians) cover related but distinct populations.

How long does an ATO take?

A first-time ATO typically takes 12–18 months from boundary definition through authorization. Subsequent ATOs are shorter if the baseline and SSP roll forward and continuous monitoring evidence is intact.

What is the FedRAMP relationship to NIST?

FedRAMP is the implementation of NIST SP 800-53 controls for cloud service providers serving the US federal government. A FedRAMP authorization satisfies the federal agency's responsibility under FISMA for cloud-based information systems.

More Compliance Checklists

Other compliance checklists

FedRAMP compliance checklist

A practical FedRAMP compliance checklist for cloud service providers: impact-level determination, agency sponsorship, 3PAO assessment, authorization package, and the continuous monitoring obligations that keep the ATO alive.

ITAR compliance checklist

A practical ITAR compliance checklist for entities that manufacture, broker, or export defense articles or technical data: USML determination, DDTC registration, Technology Control Plan, license / exemption strategy, and ongoing audit.

DORA compliance checklist

A practical DORA (Digital Operational Resilience Act) compliance checklist for EU financial entities: ICT risk management framework, incident classification and reporting, resilience testing, third-party register, and annual reporting - the five pillars of Regulation 2022/2554.

CMMC 2.0 compliance checklist

A step-by-step CMMC 2.

HIPAA compliance checklist

The annual HIPAA compliance cycle as a step-by-step checklist: risk analysis, policy updates, workforce training, safeguards, documentation, and re-attestation.

SOC 2 compliance checklist

A practical SOC 2 compliance checklist covering Trust Service Criteria selection, control mapping, evidence gathering, auditor engagement, and report issuance - for both Type I and Type II engagements.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Cosmic background pattern
Decorative rectangle pattern

Turn the NIST RMF checklist into a working process

Open the NIST RMF process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.