Comprehensive Integrated Risk Management Solutions are available for all the world's standards!

Our risk assessment modules all participate in auto-mapping to the global compliance frameworks, saving you time and trouble. Even better, our real-time scoring, reporting, and dashboards help you stay current and compliant.

Build your own risk module easily, or use our preconfigured inventory covering:

NIST Special Publication 800-37

NIST Special Publication 800-37 describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.

Modules include:

  • NIST Special Publication 800-37 - Risk Management Framework for Information Systems and Organizations

NIST 800-37 Revisions

NIST 800-37 is a National Institute publication that provides a systematic approach to managing security and privacy risks with information systems. Revision 1 applies to using this approach with federal information systems. It includes certain security processes like control selection and security categorization.

Revision 2 builds on Revision 1 with more robust, comprehensive security controls that incorporate privacy risk management processes, among other practices. 

Overall, NIST 800-37 is meant to apply the NIST Risk Management Framework (RMF) throughout the lifecycle of the information system.

Manage & Automate NIST Compliance

NIST 800-37 revisions are part of an overall 7-step process to methodically work through and apply the steps needed to assess and harden the security around an organization’s IT systems, primarily in federal organizations. It’s a phased approach to assess potential threats and vulnerabilities, prioritize and implement fixes, and continually monitor security measures. This framework allows the organization to utilize automation tools to better handle tasks like assessing and monitoring security controls.

Managing cybersecurity risks can be done more efficiently by combining NIST 800-37 and automation tools to stay in compliance.

FAQ

Having a robust cybersecurity posture is a proactive approach to maintaining business continuity. Being able to identify potential vulnerabilities and threats, prioritize their impact, and address them beforehand, goes a long way to ensure that business is not interrupted. The steps of NIST 800-30 also help in faster recovery in case of a data breach.

NIST 800-30 makes the steps of a risk management program more concise and systematic. The goal is to embed a risk management mindset throughout a system life cycle. The steps touch every aspect of risk management: planning, processes, controls, access and responsibilities.  Active understanding creates a culture around risk management.

Documentation is essential as a record of threats, mitigation efforts, and the thinking behind key decisions. These documents provide transparency and accountability. Moving forward, these records also help an organization track their progress and serve as a resource for future assessments in implementing security controls.

There are seven steps to implementation: 

  • Prepare: establish priorities 
  • Categorize: classify systems and potential impacts on the organization
  • Select: security controls that are appropriate for the system and risk level
  • Implement: selected controls with appropriate documentation
  • Assess: ensure controls are functioning correctly
  • Authorize: approve the system for use
  • Monitor: continuously monitor to ensure controls are in compliance

Risk Acceptance and Risk Transfer are two common response strategies. Risk Acceptance means acknowledging the risk but deciding that it’s within an acceptable risk level.  It doesn’t warrant  the costs of any mitigation measures.

Risk Transfer acknowledges a risk and assigns the responsibility for handling it to a third party, such as an insurer. You’ll find this in certain industries like construction or finance.

What are you waiting for?

You are just a conversation away from putting the power of Continuum GRC to work for you. 

Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.

Download our company brochure.

About the Standard

NIST Special Publication 800-37, known as the Risk Management Framework (RMF), provides a structured process for managing security and privacy risks for federal information systems and organizations. It outlines a seven-step process to ensure systems are secure and compliant with federal standards. Below is a concise summary of the compliance requirements for NIST 800-37, Revision 2 (released December 2018), tailored to provide a clear understanding of what organizations must do to comply.

Overview of NIST 800-37 Compliance Requirements

The RMF applies to federal agencies, contractors, and organizations handling federal data, with a focus on integrating security, privacy, and risk management into the system development lifecycle. Compliance involves implementing the following steps and requirements:

1. Prepare

  • Objective: Establish a risk management strategy and prepare the organization for RMF implementation.
  • Requirements:
    • Identify organizational and system-level risk management roles and responsibilities.
    • Develop a risk management strategy, including risk tolerance and assessment approaches.
    • Conduct organization- and system-level risk assessments to identify threats, vulnerabilities, and impacts.
    • Establish a system-level security and privacy strategy, including categorization processes.
    • Ensure integration of security and privacy requirements into enterprise architecture and acquisition processes.
    • Maintain an inventory of information systems and their connections.
    • Communicate RMF activities to stakeholders and establish governance structures.

2. Categorize

  • Objective: Categorize the system based on the potential impact of a security or privacy breach.
  • Requirements:
    • Categorize the system using FIPS 199 standards (Low, Moderate, or High impact) based on confidentiality, integrity, and availability.
    • Document the categorization in a security categorization report.
    • Consider privacy impacts using NIST SP 800-53B privacy controls.
    • Review and approve the categorization by the system owner and authorizing official (AO).

3. Select

  • Objective: Select appropriate security and privacy controls based on the system’s categorization.
  • Requirements:
    • Select a baseline set of controls from NIST SP 800-53 (Rev. 5) tailored to the system’s impact level.
    • Tailor controls to address specific system risks, mission needs, or operational environments.
    • Consider overlays (predefined control sets for specific technologies or environments, e.g., cloud systems).
    • Document the selected controls in a Security and Privacy Plan (e.g., System Security Plan, SSP).
    • Include continuous monitoring strategies in the plan.

4. Implement

  • Objective: Implement the selected controls within the system and its environment.
  • Requirements:
    • Deploy technical, administrative, and physical controls as specified in the SSP.
    • Document the implementation details, including how controls are applied (e.g., configurations, policies).
    • Ensure controls address both security (e.g., access control, encryption) and privacy (e.g., data minimization, consent).
    • Integrate controls into the system development lifecycle and operational processes.

5. Assess

  • Objective: Assess the effectiveness of implemented controls.
  • Requirements:
    • Develop an assessment plan aligned with NIST SP 800-53A assessment procedures.
    • Conduct independent assessments by qualified assessors to verify control implementation and effectiveness.
    • Test controls using appropriate methods (e.g., interviews, document reviews, technical testing).
    • Document findings in a Security Assessment Report (SAR) and, if applicable, a Privacy Assessment Report.
    • Identify deficiencies and develop a Plan of Action and Milestones (POA&M) to address gaps.

6. Authorize

  • Objective: Obtain authorization to operate (ATO) the system based on risk acceptance.
  • Requirements:
    • Compile a security and privacy authorization package, including:
      • System Security Plan (SSP)
      • Security Assessment Report (SAR)
      • Plan of Action and Milestones (POA&M)
    • Submit the package to the Authorizing Official (AO) for review.
    • The AO evaluates residual risks and determines if they are acceptable.
    • Issue an ATO, denial of authorization, or limited authorization with conditions.
    • Ensure authorization decisions are documented and communicated to stakeholders.

7. Monitor

  • Objective: Continuously monitor the system to ensure ongoing compliance and risk management.
  • Requirements:
    • Implement a continuous monitoring strategy as outlined in the SSP.
    • Monitor security and privacy controls regularly (e.g., through automated tools, audits, or scans).
    • Report changes in system status, new risks, or incidents to the AO and other stakeholders.
    • Update the SSP, SAR, and POA&M as needed to reflect changes in the system or environment.
    • Conduct periodic reassessments and reauthorization as required (e.g., every 3 years or after significant changes).

Additional Compliance Considerations

  • Documentation: Maintain comprehensive documentation for all RMF steps, including risk assessments, control selections, and authorization decisions.
  • Integration with Federal Standards: Ensure alignment with related standards, such as:
    • FIPS 199/200: For system categorization and minimum security requirements.
    • NIST SP 800-53: For security and privacy control selection.
    • FedRAMP (if cloud-based): Additional requirements for cloud service providers.
  • Training: Ensure personnel involved in RMF processes are trained in security and privacy practices.
  • Privacy Integration: Incorporate privacy requirements (e.g., NIST SP 800-53B) to address data protection and compliance with laws like FISMA and the Privacy Act.
  • Supply Chain Risk Management: Address risks in third-party components or services, as emphasized in Revision 2.
  • Continuous Monitoring: Use tools like Security Information and Event Management (SIEM) systems to track compliance in real time.

Key Deliverables for Compliance

  • System Security Plan (SSP): Details the system, its categorization, and selected controls.
  • Security Assessment Report (SAR): Documents control assessment results.
  • Plan of Action and Milestones (POA&M): Outlines remediation plans for control deficiencies.
  • Authorization Package: Combines SSP, SAR, and POA&M for ATO approval.
  • Continuous Monitoring Reports: Provide ongoing evidence of compliance.

Who Must Comply?

  • Federal agencies and their systems.
  • Contractors or organizations operating systems that process, store, or transmit federal data.
  • Cloud service providers under FedRAMP (if applicable).

Consequences of Non-Compliance

  • Denial or revocation of ATO, preventing system operation.
  • Increased risk of security or privacy breaches.
  • Potential penalties under FISMA or other federal regulations for federal agencies or contractors.

Resources for Compliance

  • NIST SP 800-37 Rev. 2: Primary guidance for the RMF.
  • NIST SP 800-53 Rev. 5: Security and privacy controls catalog.
  • NIST SP 800-53A: Procedures for assessing controls.
  • FIPS 199/200: Standards for categorization and minimum security requirements.
  • FedRAMP Guidelines (if applicable): For cloud systems.