FISMA & NIST RMF

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Select Step (RMF Step 2)

The second operational step of the Risk Management Framework, in which the system owner selects the appropriate NIST SP 800-53 baseline (Low, Moderate, or High) based on the categorization, then tailors the baseline by adding, removing, or supplementing controls to address system-specific risk. The output is a documented set of controls and a draft System Security Plan that frames everything that follows.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.