Overview
NIST SP 800-37 Rev. 2 provides the Risk Management Framework (RMF) for managing security and privacy risk across the system life cycle.
Publication Details
- Title: Risk Management Framework for Information Systems and Organizations
- Series: NIST Special Publication 800-37 Rev. 2
- Date Published: December 2018
- Authors: Joint Task Force
- Supersedes: SP 800-37 Rev. 1; CSWP 3
- Focus: System life cycle approach integrating security and privacy
RMF Purpose and Scope
- Provides disciplined, structured, flexible process for security and privacy risk management.
- Applies to information systems and organizations at multiple risk management levels.
- Integrates with system development life cycle for continuous protection.
Core Activities and Outcomes
- Categorize information security and privacy risk to set protection priorities.
- Select, implement, and assess controls, including system-specific and common controls.
- Authorize systems and common controls; support ongoing authorization.
- Monitor continuously to enable near real-time risk management decisions.
- Link system-level risk processes to organization-level risk governance.
- Establish responsibility and accountability for implemented and inherited controls.
- Provide senior leaders information for efficient, cost-effective decisions.
Control and Governance Focus Areas
- Emphasizes continuous monitoring to maintain ongoing authorization status.
- Encourages preparation activities to execute RMF at appropriate levels.
- Supports alignment with missions and business functions for risk-informed operations.
Control Families
- Assessment, Authorization and Monitoring
- Configuration Management
- Planning
- Program Management
- Risk Assessment
Keywords and Roles
- Key processes: assess; categorize; monitor; ongoing authorization; risk assessment; risk management.
- Artifacts: control baseline; plan of action and milestones; security plan; security assessment report; privacy plan; privacy assessment report.
- Roles: authorizing official; control assessor; information owner or steward; risk executive function; senior agency information security officer; senior agency official for privacy; system owner; system security officer; system privacy officer.
- Control types: security control; privacy control; system-specific control; common control; hybrid control.
Related Topics and Context
- Security and Privacy: audit and accountability; continuous monitoring; controls; planning; risk assessment.
- Applications: cybersecurity framework.
- Laws and Regulations: Executive Order 13800; FISMA; HSPD-7; OMB Circular A-130.
Document Access and History
- Publication DOI: 10.6028/NIST.SP.800-37r2
- Download: NIST.SP.800-37r2.pdf
- Supplemental Material: None available
Document History Table
| Date | Milestone |
|---|
| 09/28/2017 | SP 800-37 Rev. 2 (Draft) |
| 05/09/2018 | SP 800-37 Rev. 2 (Draft) |
| 10/02/2018 | SP 800-37 Rev. 2 (Draft) |
| 12/20/2018 | SP 800-37 Rev. 2 (Final) |
Key Terms & Definitions
- Risk Management Framework (RMF): Structured process linking system and organizational risk activities, including authorization and monitoring.
- Common Control: Control inherited by multiple systems from a provider, authorized at an enterprise level.
- Ongoing Authorization: Authorization approach maintained through continuous monitoring data and risk updates.
- Plan of Action and Milestones (POA&M): Document tracking remediation tasks for identified risks and weaknesses.
- Control Baseline: Predefined set of controls selected for a system’s impact level.
- Privacy Risk: Potential for individuals to experience problems from data processing that affects privacy.
Action Items / Next Steps
- Align system development life cycle activities with RMF tasks and artifacts.
- Establish roles and responsibilities for security and privacy governance.
- Implement continuous monitoring to support near real-time risk decisions.
- Prepare organizational processes to execute RMF at appropriate levels.
- Maintain authorization packages with current assessment and monitoring results.