NIST Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, is a key document of the NIST Risk Management Framework (RMF) which is mandatory for all US Government agencies, including the Department of Defense (DoD), information and information systems.
First published in February 2010, the publication provides guidance for applying the RMF to information systems and organizations, both federal and non-federal, based on a six-step process as shown below:
SP 800-37 Revision 2 was published in December 2018, and modified the well-known six-step RMF process to include an additional Preparation step as shown below:
SP 800-37 Revision 2 introduces an additional Preparation step which highlights certain activities on organizational and system levels.
Preparation activities on the organizational level include such things as assigning key roles, establishing a risk management strategy, identifying key stakeholders, and understanding threats to information systems and organizations.
Preparation activities on the system level include identifying stakeholders relevant to the system, determining the types of information processed, stored, and transmitted by the system, conducting a system risk assessment, and identifying security and privacy requirements applicable to the system and its environment.
Note that these preparation activities are not new to the RMF process; they have always been there in some shape or form. However, SP 800-37 Revision 2 emphasizes them by means of the additional step to assist in achieving the objectives of the RMF in the most efficient, consistent, and cost-effective way.
SP 800-37 Revision 2 also incorporates privacy management into the RMF approach to system development. OMB Circular A-130 states “While security and privacy are independent and separate disciplines, they are closely related, and it is essential for agencies to take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements.”