Barb Wert, Regulatory Compliance Specialist

Today the National Institute of Standards and Technology (NIST) published Revision 2 of SP 800-37 – Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.


NIST SP 800-37 is a key document of the Risk Management Framework (RMF), which is required for Department of Defense information and information systems.  The publication provides guidance for applying the RMF to information systems and organizations, both federal and non-federal.  From the publication, these guidelines were developed

  • To ensure that managing system-related security and privacy risk is consistent with the mission and business objectives of the organization and risk management strategy established by the senior leadership through the risk executive (function);

  • To achieve privacy protection for individuals and security protections for information and information systems through the implementation of appropriate risk response strategies;

  • To support consistent, informed, and ongoing authorization decisions, reciprocity, and the transparency and traceability of security and privacy information;

  • To facilitate the integration of security and privacy requirements and controls into the enterprise architecture, SDLC processes, acquisition processes, and systems engineering processes; and

  • To facilitate the implementation of the Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) within federal agencies. (1)


Revision 2 introduces the additional “Preparation” step, which highlights activities on organizational and system levels.  Preparation activities on the organizational level include such things as assigning key roles, establishing a risk management strategy, identifying key stakeholders, and understanding threats to information systems and organizations.  On the system level, preparation tasks include identifying stakeholders relevant to the system, determining the types of information processed, stored, and transmitted by the system, conducting a system risk assessment, and identifying security and privacy requirements applicable to the system and its environment.  These activities are not new to the process; however, Revision 2 emphasizes them, to assist in achieving the objectives of the RMF in the most efficient, consistent, and cost-effective way.

Cyber-Security Management

Another feature of Revision 2 is the correlation of RMF tasks to the NIST Cybersecurity Framework (CSF).  This correlation can assist in risk-based decision-making and the selection appropriate controls.  Federal agencies have been required to use CSF to manage cybersecurity risks since May 2017. (2)

Privacy Management

Revision 2 also incorporates privacy management into the RMF approach to system development.  OMB Circular A-130 states, “While security and privacy are independent and separate disciplines, they are closely related, and it is essential for agencies to take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements.” (3)  NIST is currently developing a Privacy Framework.  Information on this effort is available at

NIST SP 800-37 Revision 2 was developed by the Joint Task Force Interagency Working Group, which includes representatives from the Civil, Defense, and Intelligence Communities.  It is available free of charge at


NIST SP 800-37 Rev. 2, Section 1.2 Purpose and Applicability

Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017

OMB Circular A-130, Managing Information as a Strategic Resource, July 2016