/ resume
Practitioner's Guide

Risk Management Frameworks for Government IT

A practitioner's guide to NIST 800-53 and IRS Publication 1075.

How the NIST Risk Management Framework, the 800-53 control catalog, and IRS Pub 1075 actually fit together — written from years of building and defending these programs in government environments.

Contents·Jump to a section

Why this matters

Government IT runs under some of the strictest security rules anywhere. Pick the wrong framework, or treat the right one as a checkbox, and you end up with a security program that satisfies no one — not your auditors, not your leadership, and not the public whose data you hold. Get it right and the framework becomes the thing that tells you where to spend, what to fix first, and how to prove it.

Two frameworks sit at the center of this work for most agencies: the NIST Risk Management Framework, built on SP 800-53, and IRS Publication 1075. If you handle Federal Tax Information, you'll deal with both, and you need to know exactly where they overlap and where they pull apart.

This guide breaks down what each one is, how the pieces relate, and how to run them together without drowning in duplicate work.

First, what "RMF" actually means

Here's a distinction that trips up a lot of teams: the Risk Management Framework and the 800-53 control catalog are not the same thing.

The NIST Risk Management Framework (RMF), defined in SP 800-37, is the process — the seven steps you walk to manage risk on a system across its life.

NIST SP 800-53 is the catalog — the library of security and privacy controls you pull from during that process.

Think of the RMF as the method and 800-53 as the parts bin. You run the method; you select parts from the bin. Blurring the two leads to sloppy documentation and audit findings, so it's worth keeping straight from day one.

The NIST RMF: seven steps

The RMF process moves through seven steps:

  1. Prepare — get the organization and the system ready: roles, risk tolerance, common controls.
  2. Categorize — rate the system's impact level (Low, Moderate, or High) under FIPS 199, based on what a loss of confidentiality, integrity, or availability would do.
  3. Select — choose the control baseline that matches the category, then tailor it.
  4. Implement — put the controls in place and document how.
  5. Assess — test whether the controls actually work as documented.
  6. Authorize — a senior official accepts the residual risk and grants an Authorization to Operate (ATO).
  7. Monitor — watch the controls continuously and feed changes back into the process.

This loop is the backbone of FISMA compliance for federal systems. The last step matters most and gets shortchanged most: authorization is a moment, but monitoring is the job.

NIST SP 800-53: the control catalog

SP 800-53 is the security and privacy control catalog for federal information systems, and it has spread well past government into healthcare, finance, and any vendor chasing a federal contract.

A few things worth knowing about the current edition:

  • It's organized into 20 control families, from Access Control (AC) to System and Information Integrity (SI), holding well over a thousand individual controls.
  • Revision 5 (2020) was the big shift. It folded privacy controls directly into the catalog instead of a separate appendix, added two families — PT for personally identifiable information processing and transparency, and SR for supply chain risk management — moved the Low/Moderate/High baselines into a companion document (SP 800-53B), and rewrote controls in outcome-based, technology-neutral language so they apply to cloud, on-prem, and IoT alike.
  • The catalog keeps getting incremental updates. Release 5.2.0, issued in August 2025, added controls aimed at software supply chain and update integrity — including root cause analysis for failed updates and designing systems for cyber resiliency — in response to recent federal direction on patching.

Scope: federal agencies and contractors, plus anyone who adopts it voluntarily. Strength: breadth, maturity, and a mapped assessment methodology in SP 800-53A. Best for: building a defensible, general-purpose federal security foundation.

IRS Publication 1075: the FTI overlay

Pub 1075 — "Tax Information Security Guidelines for Federal, State and Local Agencies and Entities" — is narrower but deeper. It governs any organization that receives, processes, stores, or transmits Federal Tax Information (FTI): state revenue and child-support agencies, local governments, and their contractors, all under the authority of IRC 6103.

What a practitioner needs to know about the current state:

  • The November 2021 revision took effect June 10, 2022. It aligned Pub 1075 directly to NIST 800-53 Rev 5 and added supply chain risk management requirements.
  • As of January 1, 2025, agencies face tightened expectations — role-based training, insider threat awareness, and tested incident response plans among them.
  • The IRS Office of Safeguards reviews agencies periodically. Miss the mark and you can lose FTI access, which for many programs means the program stops.
  • Penalties are personal, not just organizational. Unauthorized disclosure of FTI is a felony (IRC 7213); unauthorized inspection is a misdemeanor (IRC 7213A); both carry fines and prison time, and IRC 7431 adds civil damages.
  • Contractors supporting IRS work have their own companion standard, Pub 4812, updated in late 2024 to sharpen contractor security and supply chain scrutiny.

Scope: any entity touching FTI. Strength: prescriptive, audit-ready safeguards built specifically for tax data. Best for: organizations that need clear, IRS-aligned boundaries around FTI.

Head-to-head

DimensionNIST SP 800-53IRS Publication 1075
Primary audienceFederal agencies and contractorsEntities handling FTI
Control philosophyRisk-based, tailorable baselinesPrescriptive, FTI-specific safeguards
Audit focusSystem ATO and continuous monitoringFTI access, transmission, and disposal
Incident responseBuilt into the IR control familyMandatory IRS notification within set timelines
Physical securityPhysical and Environmental (PE) controlsSpecific FTI storage, handling, and disposal rules
PersonnelPersonnel Security (PS) familyBackground investigations to IRS standards
Update cadencePeriodic NIST releases (latest 5.2.0, 2025)IRS revisions plus interim Safeguards guidance

How they actually fit together

The thing to understand: these frameworks aren't competitors. Pub 1075 sits on top of 800-53. The IRS built its safeguards by mapping to NIST controls, so if you run 800-53 well, you're most of the way to Pub 1075 already.

The move that saves you the most pain is mapping Pub 1075 safeguards to your 800-53 controls during the Select step — early, while you're choosing controls — instead of retrofitting tax-specific rules after the system is built. I've watched teams burn months unwinding an environment because FTI handling was bolted on at the end rather than designed in. Plan the overlap once and you maintain one control set with FTI annotations, not two parallel programs.

For agencies whose footprint runs wider, a few neighbors are worth a mention:

  • FedRAMP governs cloud services used by federal agencies and is itself built on 800-53 baselines.
  • CMMC applies if you're in the defense industrial base handling controlled unclassified information.
  • NIST CSF 2.0 is voluntary and outcome-focused — useful for talking risk with leadership, but not a substitute for the control-level rigor of 800-53.

Practical recommendations

Building general federal systems: Start with 800-53 Rev 5. Categorize under FIPS 199, pull the matching baseline from 800-53B, and tailor. Run the full RMF loop and treat monitoring as ongoing work, not a closeout task.

Handling FTI: Pub 1075 is non-negotiable, layered on whatever baseline your agency already runs. Build to the current revision, account for the January 2025 requirements, and keep your Safeguard Security Report and corrective action plans current — the Office of Safeguards will ask.

Running a hybrid environment: Most state and local agencies live here. Map Pub 1075 to 800-53 during Select, document the overlap once, and you turn a compliance burden into a single, governable control set.

Common mistakes I see

  • Treating the ATO as the finish line. Authorization is one step of seven. Without real continuous monitoring, your security posture is accurate for exactly one day.
  • Retrofitting FTI rules. Pub 1075 designed in costs a fraction of Pub 1075 bolted on.
  • Confusing the process with the catalog. RMF is how you work; 800-53 is what you implement. Keep them distinct in your documentation.
  • Reading frameworks as static. Both change. Release 5.2.0 and the 2025 Pub 1075 requirements are recent proof. Build a habit of tracking updates, not a one-time compliance sprint.

Key takeaways

  • The NIST RMF is the process; 800-53 is the control catalog you select from. Treat them as separate but linked.
  • 800-53 is the broad federal standard; Pub 1075 is a specialized overlay for Federal Tax Information.
  • Map Pub 1075 to 800-53 early and you cut duplicate work and audit friction.
  • Compliance is continuous. Both frameworks are living documents — monitor, don't just certify.

About the author

Jose D Soto is an information security leader with hands-on experience across federal and government IT, GRC, and security modernization, including building and defending programs aligned to NIST 800-53 and IRS Publication 1075. This guide reflects real implementation work, not theory.

← Back to home