NIST has finalized the first wave of post-quantum standards and the federal mandates are no longer aspirational. Here is what ISSOs, architects, and crypto inventory owners need to have on paper in 2026.
Agentic systems with tool calls, MCP servers, and dynamic context don’t fit the static system boundary model RMF was built for. Here is how to draw a defensible boundary in 2026.
RMF Control SR-9: Tamper Resistance and Detection requires organizations to implement anti-tamper technologies and techniques to protect systems and system components from unauthorized modification or disruption. This is important for protecting information systems from unauthorized access and ensuring that systems are performing as expected. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework …
RMF Control SI-15: Information Output Filtering requires organizations to validate information before it is output to users or systems. This is important for protecting information systems from unauthorized access and disclosure. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing cybersecurity risk to systems and organizations. RMF …
RMF Control SC-40: Wireless Link Protection requires organizations to protect external and internal wireless communication links that may be visible to individuals who are not authorized information system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of …
RMF Control SA-10: Developer Configuration Management requires organizations to ensure that software and firmware components distributed to the organization are exactly as specified by the master copies. This is important for protecting information systems from unauthorized changes and ensuring that systems are performing as expected. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity …
RMF Control RA-4: Risk Assessment Update requires organizations to update their risk assessments on a regular basis to ensure that they are accurate and up-to-date. This is important because cybersecurity risks are constantly changing, and organizations need to be aware of the latest threats and vulnerabilities in order to protect their systems and data. Supplemental …
RMF Control PT-3: Personally Identifiable Information Processing Purposes requires organizations to identify and document the purpose(s) for processing personally identifiable information (PII), describe the purpose(s) in the public privacy notices and policies of the organization, restrict the processing of PII to only that which is compatible with the identified purpose(s), and monitor changes in processing …
RMF Control PS-6: Access Agreements requires organizations to establish and implement access agreements for all individuals with access to information systems. Access agreements should specify the types of access that are authorized, the purposes for which access is granted, and the conditions that must be met in order to maintain access. Supplemental Guidance The Risk …
RMF Control PM-3: Information Security and Privacy Resources requires organizations to ensure that all capital planning and investment requests include the resources needed to implement the information security and privacy programs, and documents all exceptions to this requirement. Organizations should also prepare documentation required for addressing information security and privacy programs in capital planning and …
