FISMA & NIST RMF

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Implement Step (RMF Step 3)

The third step of the Risk Management Framework, in which the system owner implements the selected controls and documents how each control is satisfied in the System Security Plan. Implementation evidence accumulated here becomes the input to the assessment step; weak documentation at the implement step is the most common driver of assessment delay.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.