SP 800-37r2SP 800Finalpublication

SP 800-37 Rev. 2 - Risk Management Framework for Information Systems and Organizations

Describes the Risk Management Framework (RMF) and provides guidelines for applying it to information systems and organizations. Outlines seven steps including categorize, select, implement, assess, authorize, monitor, and prepare.

View on NIST.gov

Publication Number

800-37

Series

SP 800

Revision

Status

Final

Date

2018-12

risk management frameworkauthorizationsystem lifecyclecontinuous monitoring

References(14)

SP 800-53r5SP 800-53 Rev. 5 - Security and Privacy Controls for Information Systems and Organizations FIPS 199FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems FIPS 200FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems SP 800-53Ar5SP 800-53A Rev. 5 - Assessing Security and Privacy Controls in Information Systems and Organizations SP 800-137r1SP 800-137 Rev. 1 - Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations SP 800-30r1SP 800-30 Rev. 1 - Guide for Conducting Risk Assessments SP 800-39SP 800-39 - Managing Information Security Risk SP 800-60v1r1SP 800-60 Vol. 1 Rev. 1 - Guide for Mapping Types of Information and Information Systems to Security Categories SP 800-128SP 800-128 - Guide for Security-Focused Configuration Management of Information Systems CSF 2.0NIST Cybersecurity Framework (CSF) 2.0 SP 800-160v1r1SP 800-160 Vol. 1 Rev. 1 - Engineering Trustworthy Secure Systems SP 800-161r1SP 800-161 Rev. 1 - Cybersecurity Supply Chain Risk Management Practices NISTIR 8286NISTIR 8286 - Integrating Cybersecurity and Enterprise Risk Management (ERM)NISTIR 8170NISTIR 8170 - Approaches for Federal Agencies to Use the Cybersecurity Framework

Steps(7)

PreparePrepare (P)

CategorizeCategorize (C)

SelectSelect (S)

ImplementImplement (I)

AssessAssess (A)

AuthorizeAuthorize (Z)

MonitorMonitor (M)