NIST SP 800-37
What is NIST SP 800-37?
NIST SP 800-37The NIST Risk Management Framework, defining a seven-step process for managing security and privacy risk across the system lifecycle.
NIST SP 800-37 Revision 2, Risk Management Framework (RMF) for Information Systems and Organizations, is issued by the United States National Institute of Standards and Technology. It establishes a seven-step lifecycle process to manage security and privacy risk: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. The publication integrates security, privacy, and supply-chain risk management into a single framework aligned with FISMA, OMB Circular A-130, and the NIST Cybersecurity Framework. It applies to federal information systems but is also adopted by contractors, the defense industrial base, and many state, local, tribal, and private organizations to provide repeatable Authorization to Operate (ATO) decisions.
● Examples
- 01
A federal program manager runs an ATO under the seven RMF steps to authorize a new SaaS workload.
- 02
A defense contractor inherits common controls from a CSP and documents them via the RMF Implement step.
● Frequently asked questions
What is NIST SP 800-37?
The NIST Risk Management Framework, defining a seven-step process for managing security and privacy risk across the system lifecycle. It belongs to the Compliance & Frameworks category of cybersecurity.
What does NIST SP 800-37 mean?
The NIST Risk Management Framework, defining a seven-step process for managing security and privacy risk across the system lifecycle.
How does NIST SP 800-37 work?
NIST SP 800-37 Revision 2, Risk Management Framework (RMF) for Information Systems and Organizations, is issued by the United States National Institute of Standards and Technology. It establishes a seven-step lifecycle process to manage security and privacy risk: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. The publication integrates security, privacy, and supply-chain risk management into a single framework aligned with FISMA, OMB Circular A-130, and the NIST Cybersecurity Framework. It applies to federal information systems but is also adopted by contractors, the defense industrial base, and many state, local, tribal, and private organizations to provide repeatable Authorization to Operate (ATO) decisions.
How do you defend against NIST SP 800-37?
Defences for NIST SP 800-37 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NIST SP 800-37?
Common alternative names include: SP 800-37, RMF, Risk Management Framework.
● Related terms
- compliance№ 735
NIST SP 800-30
A NIST Special Publication that provides guidance for conducting risk assessments of information systems and the missions they support.
- compliance№ 738
NIST SP 800-61
The NIST Computer Security Incident Handling Guide, describing the four-phase lifecycle used by incident response teams in government and industry.
- compliance№ 236
CRISC
An ISACA certification for IT risk and control professionals covering governance, IT risk assessment, response, reporting, and control selection across four domains.
- compliance№ 176
CISM
An ISACA management-level certification for information security managers covering governance, risk, program development, and incident management across four domains.
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
● See also
- № 175CISA