The addition of the Prepare step is one of the key updates to the Risk Management Framework (NIST Special Publication 800-37, Revision 2 [SP 800-37r2]). The Prepare step was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. Tasks in the Prepare step directly support subsequent RMF steps and are largely derived from guidance in other NIST publications or are required by Office of Management and Budget (OMB) policy (or both). Thus, organizations may have already implemented many of the tasks in the Prepare step as part of organizationwide risk management. The Prepare step intends to reduce complexity as organizations implement the Risk Management Framework, promote IT modernization objectives, conserve security and privacy resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals. The organization- and system-level risk management activities conducted in the Prepare step are critical for preparing the organization to execute the remaining RMF steps. Without adequate risk management preparation at the organizational and system levels, security and privacy.