Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

Joint Task Force Transformation Initiative

doi:https://doi.org/10.6028/NIST.SP.800-37r1

NIST SP 800-37 Rev. 1

Withdrawn on December 20, 2019. Superseded by SP 800-37 Rev. 2

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

Documentation Topics

Date Published: February 2010 (Updated 6/5/2014)

Supersedes: SP 800-37 Rev. 1 (02/22/2010)

Author(s)

Joint Task Force Transformation Initiative

Abstract

The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring.

Keywords

risk management framework; roles and responsibilities; security authorization; information systems; common controls; FISMA; categorize; security controls; continuous monitoring

Control Families

Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-37r1
Download URL

Supplemental Material:
Supplemental Guidance on Ongoing Authorization, (June 2014)
Press Release

Related NIST Publications:
CSWP 3

Document History:
06/05/14: SP 800-37 Rev. 1 (Final)

Topics

Security and Privacy

audit & accountability, planning, risk assessment

Laws and Regulations

Federal Information Security Modernization Act, Homeland Security Presidential Directive 7, OMB Circular A-130