Many aspects of cyberspace are abstract and complex, which is why risk management for cybersecurity requires a much different approach to the understanding and evaluation of risk. Given the level of skill and sophistication of the large collection of malicious agents out there, it is critically important to implement comprehensive organization-wide protection since any system with an exploitable hole is a potential hazard. Many organizations are required to document that they have considered the risks to their assets and have control measures in place to protect against them. The NIST-Risk Management Framework (RMF) was designed to offer a structured, yet flexible means for analyzing and deciding how to alleviate the risks that arise from the information systems within an organization. This paper discusses the merits of using the RMF as a guideline of best practices for managers who want to have substantive risk management capability but do not know how to go about implementing it.