NIST SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has released a new risk management framework guideline. NIST has named the document Security Publication (SP) 800-37 Rev. 2: “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.”

SP 800-37 Rev. 2 includes guidelines for applying the Risk Management Framework (RMF) to information systems and organizations.

An abstract of the RMF standard document from the NIST website:

“The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.”


NIST also provided seven high level objectives from the revised SP 800-37 guidelines:

  1. To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  2. To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  3. To demonstrate how the NIST Cybersecurity Framework (NIST CSF) can be aligned with the RMF and implemented using established NIST risk management processes;
  4. To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
  5. To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 v1, with the relevant tasks in the RMF;
  6. To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  7. To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53, Revision 5.

You can download SP 800-37 Rev. 2 PDF document here.