A structured walkthrough of all seven RMF steps — from system preparation through categorization, control selection, assessment, authorization, and continuous monitoring. Export your complete package for ATO documentation.
The RMF process spans months of documentation, control work, and stakeholder coordination. Without structure, it devolves into disconnected spreadsheets and approval delays.
This tool keeps the entire lifecycle in one place — checklists, categorization tables, control selection, findings tracking, and authorization documentation — advancing you from Prepare through Monitor with every step building on the last.
Each step builds on the last. Work through them in order or jump to any step — the tool keeps all your inputs and lets you return at any point.
Establish organizational risk context: mission, business functions, risk tolerance, stakeholder assignments, and common control sources. System-level preparation documents the authorization boundary and identifies the ISSO, ISSM, system owner, and authorizing official.
Assign FIPS 199 impact levels (Low, Moderate, High) for Confidentiality, Integrity, and Availability using guided information type selection aligned to SP 800-60 Vol II. The overall system impact level is automatically derived and drives baseline selection in Step 3.
Choose an SP 800-53 control baseline (Low, Moderate, or High) based on your categorization result. Apply overlays (Privacy, CUI, cloud), exclude controls with documented justification, and mark controls as common, hybrid, or system-specific. Add organization-defined parameters where the baseline requires specification.
Track implementation status per control. Document implementation approach, responsible parties, and system-specific parameters. Identify controls that are inherited, partially implemented, or require configuration changes to reach compliance.
Record assessment findings per control family with severity ratings (Critical, High, Moderate, Low, Informational). Generate a POA&M (Plan of Action & Milestones) for open findings. The tool tracks finding counts, severities, and overall risk posture heading into authorization.
Document the authorization decision — ATO (Authority to Operate), IATT (Interim Authority to Test), or DATO (Denial of Authorization to Operate) — along with authorization boundary, conditions, acceptance of residual risk, and the Authorizing Official's determination.
Maintain ongoing authorization by tracking the continuous monitoring strategy, POA&M remediation progress, significant change triggers, and reauthorization conditions. The full authorization summary at this step consolidates all seven steps into a single executive-level view.
All seven steps and all documentation fields are available free. Pro adds the ability to save your full RMF package and produce a comprehensive authorization report.
Save your complete RMF documentation — all seven steps — as a structured JSON file. Import it later to resume work or archive as an authorization package record.
Generate a comprehensive multi-section report covering all seven RMF steps — findings, categorization, baseline, authorization decision, and POA&M — suitable for package submission or leadership briefing.
Walk through all seven steps in your browser. Export your full package as JSON when you're done to preserve and share your work.
Risk Posture Tools