NIST Special Publication (SP) 800-37 Rev. 2 (Withdrawn), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (2024)

    Publications

NIST SP 800-37 Rev. 2 (Initial Public Draft)

Obsoleted on October 02, 2018 by SP 800-37 Rev. 2 (Final Public Draft)

Documentation Topics

Date Published: May 2018
Comments Due: June 22, 2018 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Planning Note (05/25/2018): See the current publishing schedule.

Author(s)

Joint Task Force

Announcement

This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, Executive Order 13800, and OMB Memorandum M-17-25 to develop the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals.

There are seven major objectives for this update:

  • Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  • Institutionalize critical organization-wide risk management preparatory activities to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  • Demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
  • Integrate privacy risk management concepts and principles into the RMF and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53Revision 5;
  • Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160 with the steps in the RMF;
  • Integrate supply chain risk management (SCRM) concepts into the RMF to protect against untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  • Provide an alternative organization-generated control selection approach to complement the traditional baseline control selection approach.

A public comment period for this draft document is open until June 22, 2018.

Abstract

This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. It also includes activities to help prepare organizations to execute the RMF at the information system level. The RMF promotes the concept of near real-time risk management and ongoing system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy into the system development life cycle. Executing the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented in organizational information systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the well-established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.

This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common... See full abstract

Keywords

assess; authorization to operate; common control authorization; authorization to use; authorizing official; categorize; common control; common control provider; continuous monitoring; control baseline; hybrid control; information owner or steward; monitor; ongoing authorization; plan of action and milestones; privacy assessment report; privacy control; privacy plan; privacy risk; profile; risk assessment; risk executive function; risk management; risk management framework; security assessment report; security control; security plan; security risk; senior agency official for privacy; senior agency information security officer; senior agency official for privacy; supply chain risk management; system development life cycle; system owner; system privacy officer; system security officer

Control Families

Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment

Documentation

Publication:
Draft SP 800-37 Rev. 2 (pdf)

Supplemental Material:
Draft, with line numbers (pdf)
Mark-up Copy of Draft SP 800-37 Rev. 2 (pdf)
Comment template (xlsx)
Presentation: RMF 2.0 (introduces the initial public draft) (pdf)
NIST Press Release

Related NIST Publications:
SP 800-53 Rev. 5 (Draft)

Document History:
09/28/17: SP 800-37 Rev. 2 (Draft)
05/09/18: SP 800-37 Rev. 2 (Draft)
10/02/18: SP 800-37 Rev. 2 (Draft)
12/20/18: SP 800-37 Rev. 2 (Final)

Topics

Security and Privacy

, continuous monitoring, controls, planning, risk assessment

Applications

cybersecurity framework

Laws and Regulations

Executive Order 13800, Federal Information Security Modernization Act, Homeland Security Presidential Directive 7, OMB Circular A-130

NIST Special Publication (SP) 800-37 Rev. 2 (Withdrawn), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (2024)

FAQs

What is the NIST Special Publication 800-37? ›

NIST SP 800-37, the Risk Management Framework: A Guide in Plain English. NIST Special Publication (SP) 800-37, titled “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy” is commonly referred to by its acronym, the RMF.

What is the Special publication 800-37 Revision 2? ›

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 revision 2 is a Risk Management Framework for Information Systems and Organizations: A System Lifecycle Approach for Security and Privacy.

What are the steps for NIST 800-37 RMF? ›

The NIST management framework is a culmination of multiple special publications (SP) produced by the National Institute for Standards and Technology (NIST) - as we'll see below, the 6 NIST RMF Steps; Step 1: Categorize/ Identify, Step 2: Select, Step 3: Implement, Step 4: Assess, Step 5: Authorize and Step 6: Monitor, ...

What are the limitations of NIST SP 800-37 Rev 2 as a risk management framework? ›

However, NIST SP 800–37 has some limitations, such as authorization boundaries that need continuous updating to account for high-risk systems that may have been missed. Additionally, there is a lack of RMF/Security Assessment and Authorization (SA&A) maturity model, which would provide metrics of effectiveness.

What is the difference between NIST 800-53 and 800 37? ›

Several NIST 800 documents address risk management, but one of the most important is NIST 800-37. NIST SP 800-37 addresses how organizations can apply risk management framework (RMF) to their information systems. NIST SP 800-53 outlines other security controls for federal information systems.

Is NIST a federal requirement? ›

NIST is a nonregulatory Federal agency within the Commerce Department. Its mission is to promote measurement science, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

Which type of document is SP 800-37? ›

Security frameworks are a crucial part of this kind of protection, and that's where the NIST 800-37 RMF (Risk Management Framework) comes in: it is a compliance framework designed to help organizations appropriately protect the security and privacy vulnerabilities of their information systems.

What does a Risk Management Framework look like? ›

The 5 Components of Risk Management Framework. There are at least five crucial components that must be considered when creating a risk management framework. They are risk identification; risk measurement and assessment; risk mitigation; risk reporting and monitoring; and risk governance.

What are the tasks of the NIST RMF? ›

The seven steps in the NIST RMF are: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor Security Controls. The organization gets ready to manage its security and privacy risks by: Assessing organization-wide risk.

What is the NIST issued a revision to SP 800-37? ›

Announcement. This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, Executive Order 13800, and OMB Memorandum M-17-25 to develop the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals.

What are the 5 stages of NIST? ›

You can put the NIST Cybersecurity Framework to work in your business in these five areas: Identify, Protect, Detect, Respond, and Recover.

What are the 7 steps of NIST? ›

The seven NIST RMF steps lay out the process your organization can follow: Prepare; Categorize; Select; Implement; Assess; Authorize; and Monitor.

What is the difference between NIST 800-37 and 39? ›

NIST Security offers three well-known risk-related frameworks: NIST SP 800-39 (defines the overall risk management process), NIST SP 800-37 (the risk management framework for federal information systems), and NIST SP 800-30 (risk assessment progress).

How many approaches are defined by the NIST Special Publication SP 800-37 for the selection of security and privacy controls? ›

With the major update to the RMF (Special Publication 800-37, Revision 2) in 2018, NIST defined two distinct approaches that can be used for the selection of controls: A baseline control selection approach, and. An organization-generated control selection approach.

What NIST special publication provides guidance on risk assessments? ›

The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39.

What is a NIST special publication? ›

NIST Special Publications include proceedings of conferences sponsored by NIST, NIST annual reports, and other special publications. Within this are SP Subseries that provide detailed specifications in subject areas that are of interest to specific research communities.

What is the NIST Special Publication 800-53 document used for? ›

The NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations is a set of recommended security and privacy controls for federal information systems and organizations to help meet the Federal Information Security Management Act (FISMA) requirements.

What is the NIST definition of cloud computing special publication? ›

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

What is the NIST special publication for passwords? ›

NIST Special Publication (SP) 800-63B provides requirements, recommendations, and guidance for the use of memorized secrets (i.e., PINs, passwords) in authentication of digital identity. This guidance for memorized secrets is exclusively for human users.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Rev. Porsche Oberbrunner

Last Updated:

Views: 5879

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.