TroutTrout
Back to Glossary
RMFICS securityNIST 800-82

Risk Management Framework (RMF for ICS/OT)

4 min read

The Risk Management Framework (RMF) is a structured NIST process for managing cybersecurity risk across an information system's lifecycle. In OT and industrial control system contexts, RMF is applied with NIST SP 800-82 Rev 3 as the operational-technology overlay — the six RMF steps stay the same, but the risk model, control selection, and assessment criteria all shift to reflect OT priorities.

The six RMF steps

The NIST RMF (currently specified in NIST SP 800-37 Rev 2) consists of:

  1. Prepare — establish the risk management context, roles, and common controls.
  2. Categorize — determine the impact level of the system based on confidentiality, integrity, and availability.
  3. Select — choose the security controls from the NIST SP 800-53 catalog that meet the categorization.
  4. Implement — deploy the controls and document as-implemented behavior.
  5. Assess — test the controls against the assessment procedures in NIST SP 800-53A.
  6. Authorize — the Authorizing Official accepts residual risk and grants authorization to operate.
  7. Monitor — continuous monitoring of control effectiveness and environmental change.

The framework is iterative, not linear — changes to the system, threat environment, or control state trigger re-entry into earlier steps.

What changes for ICS/OT

NIST SP 800-82 Rev 3 (Guide to Operational Technology Security) provides the OT overlay. Four material differences from the IT application of RMF:

Availability dominates categorization. In IT systems, confidentiality is often the primary concern. In OT, a system outage that stops production, causes a safety event, or interrupts a power grid carries higher consequence than a data disclosure. Categorization decisions reflect this.

Control selection must consider deterministic behavior. Security controls that work in IT — active scanning, endpoint agents, inline inspection — can disrupt control loops with tight latency budgets. 800-82 Rev 3 flags controls that require tailoring for OT and provides specific guidance on each.

Implementation is frequently compensating. Many 800-53 controls cannot be implemented on the OT asset itself. Implementation shifts to network, physical, or procedural compensating controls. The SSP documents the original control, the asset's limitation, and the compensating mechanism.

Assessment must not disturb the process. An assessor cannot run port scans against production PLCs or inject test traffic into a running control loop. Assessment procedures rely on passive observation, configuration review, and scheduled maintenance-window testing.

Relationship to CMMC, IEC 62443, and 800-171

  • CMMC Level 2 requires implementation of the 110 NIST SP 800-171 Rev 2 controls. NIST SP 800-171 is a subset of 800-53 focused on CUI protection. RMF applied to a CMMC environment uses 800-171 as the control baseline and 800-82 for OT tailoring.
  • IEC 62443 is the international standard for industrial automation security. Zones, conduits, and Security Levels (SL 1–4) provide a parallel risk model. Many organizations run RMF as the governance process and 62443 as the technical architecture.
  • NIST SP 800-53 Rev 5 is the control catalog RMF draws from. 800-82 Rev 3 provides OT-specific overlays for each family.

Typical ICS/OT RMF workflow

A manufacturing plant subject to both CMMC and RMF would typically:

  1. Categorize the OT network as high-availability, moderate-integrity, moderate-confidentiality.
  2. Select controls from 800-171 (for CUI) and 800-53 (for non-CUI systems), using 800-82 Rev 3 overlays for OT tailoring.
  3. Implement controls — natively where possible, as compensating network-layer enforcement where the asset cannot support them.
  4. Assess through passive observation plus documented configuration review, avoiding active testing on production equipment.
  5. Authorize with explicit acknowledgment of Enduring Exceptions and compensating controls.
  6. Monitor through network-layer telemetry (session logs, protocol anomalies) because endpoint monitoring is not available on most OT assets.

Related terms

Access Gate connection

Access Gate implements the Select and Implement RMF steps for OT-specific compensating controls — network-layer identity, protocol filtering, and session audit that RMF assessors can verify without disturbing production. See DoD Zero Trust OT Alignment.

Other Terms

NIST 800-82OT security

NIST SP 800-82

NIST Special Publication 800-82 is the NIST guide to Operational Technology security — the ICS-specific companion to NIST SP 800-53 and 800-171, covering SCADA, DCS, PLCs, and safety instrumented systems.

ICS securityIndustrial control system

Industrial Control Systems Security

Industrial Control Systems Security refers to the practice of safeguarding industrial control systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Sys...

Passive asset discoveryOT asset inventory

Passive Asset Discovery (OT)

Passive asset discovery identifies OT devices by observing network traffic without sending probes — the only safe discovery method for production control systems that cannot tolerate active scanning.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles