We now examine each of these four steps through the lens of the NIST RMF management process due to how federal organizations complete a ‘generic’ risk analysis and select and subsequently tailor one of three control baselines. (We use the NIST framework for illustration given its relevance to our subsequent discussion on the HITRUST RMF.)