The NIST Risk Management Framework (RMF) is thoroughly described in NIST special publication 800-37… but it’s short on images, and most people are visually oriented. So here’s a graphical summary. You can download it here.
The NIST risk management framework, broken down by the main party responsible for the tasks. The process is composed of six steps that are further broken down into twenty-four tasks. Most diagrams show only the six steps. The tasks are color coded according to their phase in the system life cycle. The orange boxes show additional standards that should be consulted.
The diagram entry point is the solid black dot at the upper left, and the pass through the process ends at the bull’s-eye in the lower left. The vertical “swim lanes” specify the main actor responsible for the task. For example, the CIO is responsible for Task 2-1. This diagram is a simplification. For example, the standard also says that the Senior Information Security Officer, Information Security Architect, and Common Control Provider may have primary responsibility, and that five other roles may support that step. It would be hard to show all those in the diagram.
Of course systems, threats, risks, and nearly everything else evolve over time, so the process must be revisited periodically.
One thing that might jump out at you is that many of the tasks are the responsibility of the Information System Owner, who may not be the best trained or best equipped actor in the diagram. Another conclusion is that the process is pretty complicated: some kind of workflow would be desirable to keep track of the status of all the tasks, and some kind of database would be desirable to keep track of all the results. In the event of a breech, it would be nightmarish to prove that you actually followed best practices, without workflow and a database.