- Publications
NIST SP 800-37 Rev. 2 (Initial Public Draft)
Obsoleted on October 02, 2018 by SP 800-37 Rev. 2 (Final Public Draft)
Documentation Topics
Date Published: May 2018
Comments Due: June 22, 2018 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov
Planning Note (05/25/2018): See the current publishing schedule.
Author(s)
Joint Task Force
Announcement
This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, Executive Order 13800, and OMB Memorandum M-17-25 to develop the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals.
There are seven major objectives for this update:
- Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
- Institutionalize critical organization-wide risk management preparatory activities to facilitate a more effective, efficient, and cost-effective execution of the RMF;
- Demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
- Integrate privacy risk management concepts and principles into the RMF and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53Revision 5;
- Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160 with the steps in the RMF;
- Integrate supply chain risk management (SCRM) concepts into the RMF to protect against untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- Provide an alternative organization-generated control selection approach to complement the traditional baseline control selection approach.
A public comment period for this draft document is open until June 22, 2018.
Abstract
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. It also includes activities to help prepare organizations to execute the RMF at the information system level. The RMF promotes the concept of near real-time risk management and ongoing system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy into the system development life cycle. Executing the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented in organizational information systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the well-established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common... See full abstract
Keywords
assess; authorization to operate; common control authorization; authorization to use; authorizing official; categorize; common control; common control provider; continuous monitoring; control baseline; hybrid control; information owner or steward; monitor; ongoing authorization; plan of action and milestones; privacy assessment report; privacy control; privacy plan; privacy risk; profile; risk assessment; risk executive function; risk management; risk management framework; security assessment report; security control; security plan; security risk; senior agency official for privacy; senior agency information security officer; senior agency official for privacy; supply chain risk management; system development life cycle; system owner; system privacy officer; system security officer
Control Families
Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment
Documentation
Publication:
Draft SP 800-37 Rev. 2 (pdf)
Supplemental Material:
Draft, with line numbers (pdf)
Mark-up Copy of Draft SP 800-37 Rev. 2 (pdf)
Comment template (xlsx)
Presentation: RMF 2.0 (introduces the initial public draft) (pdf)
NIST Press Release
Related NIST Publications:
SP 800-53 Rev. 5 (Draft)
Document History:
09/28/17: SP 800-37 Rev. 2 (Draft)
05/09/18: SP 800-37 Rev. 2 (Draft)
10/02/18: SP 800-37 Rev. 2 (Draft)
12/20/18: SP 800-37 Rev. 2 (Final)
Topics
Security and Privacy
, continuous monitoring, controls, planning, risk assessment
Applications
cybersecurity framework
Laws and Regulations
Executive Order 13800, Federal Information Security Modernization Act, Homeland Security Presidential Directive 7, OMB Circular A-130