U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

SP 800-37 Rev. 2

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Date Published: December 2018

Supersedes: SP 800-37 Rev. 1 (06/05/2014); White Paper (06/03/2014)


Joint Task Force



assess; authorization to operate; authorization to use; authorizing official; categorize; common control; common control authorization; common control provider; continuous monitoring; control assessor; control baseline; cybersecurity framework profile; hybrid control; information owner or steward; information security; monitor; ongoing authorization; plan of action and milestones; privacy; privacy assessment report; privacy control; privacy plan; privacy risk; risk assessment; risk executive function; risk management; risk management framework; security; security assessment report; security control; security engineering; security plan; security risk; senior agency information security officer; senior agency official for privacy; supply chain risk management; system development life cycle; system owner; system privacy officer; system security officer; system-specific control.
Control Families

Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment


SP 800-37 Rev. 2 (DOI)
Local Download

Supplemental Material:
None available

Related NIST Publications:
ITL Bulletin

Document History:
09/28/17: SP 800-37 Rev. 2 (Draft)
05/09/18: SP 800-37 Rev. 2 (Draft)
10/02/18: SP 800-37 Rev. 2 (Draft)
12/20/18: SP 800-37 Rev. 2 (Final)