What are the steps in the RMF (SP 800-37) authorization lifecycle?
RMF has seven steps: Prepare, Categorize the system, Select controls, Implement them, Assess their effectiveness, Authorize (the authorizing official accepts residual risk and issues the ATO), and Monitor continuously. It is a lifecycle, not a one-time gate —…
Answer.
RMF has seven steps: Prepare, Categorize the system, Select controls, Implement them, Assess their effectiveness, Authorize (the authorizing official accepts residual risk and issues the ATO), and Monitor continuously. It is a lifecycle, not a one-time gate — the Monitor step loops back. Planisphere maps to the Assess and Monitor steps for AI components, supplying reproducible behaviour evidence and a re-run cadence; it does not perform categorization or issue the authorization.
The mark behind the answer.
Risk Management Framework · the 7-step ATO lifecycle the package follows.
More on RMF (SP 800-37).
Prepare evidence for RMF (SP 800-37) review.
First evidence record within 21 days of access · re-runs in a single business day. Planisphere measures model behaviour and emits a reproducible, sha-pinned record — it does not certify, file, or give legal advice.