NIST Special Publication 800-37, Revision 2, titled “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy,” provides comprehensive guidelines for applying the Risk Management Framework (RMF) to federal information systems and organizations. The publication outlines a structured, flexible, and repeatable process for managing security and privacy risks throughout the system development life cycle. Key activities include categorizing information systems, selecting and implementing appropriate security and privacy controls, assessing control effectiveness, authorizing system operation, and continuously monitoring controls. The framework emphasizes integration with organizational processes, automation for near real-time risk management, and alignment with both security and privacy requirements. NIST SP 800-37 Revision 2 was published in December 2018.
Publication's URL
https://csrc.nist.gov/pubs/sp/800/37/r2/finalAdditional documents on this topic
- NIST IR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) ★★★★★
- NIST IR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management ★★★★★
- NIST IR 8286C Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight
- NIST IR 8286D Using Business Impact Analysis to Inform Risk Prioritization and Response
- FAIR Taxonomy for Cyber Risk Scenarios ★★★★★