Authorization and Monitoring
NIST Special Publication 800-37 Revision 1
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
The purpose of this publication is to provide guidelines for applying the Risk Management Framework to systems to include conducting the activities of security categorization 1, security control selection and implementation, security control assessment, system authorization 2, and security control monitoring. The guidelines have been developed:
- To ensure that managing system-related security risks is consistent with the organization’s mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function);
- To ensure that information security requirements, including necessary security controls, are integrated into the organization’s enterprise architecture and system development life cycle processes;
- To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of security assessment results 3; and
- To achieve more secure information and systems within the federal government through the implementation of appropriate risk mitigation strategies.
This publication satisfies the requirements of the Federal Information Security Modernization Act (FISMA) and meets or exceeds the information security requirements established for executive agencies 4 by the Office of Management and Budget (OMB) in Circular A-130, Appendix III, Security of Federal Automated Information Resources. The guidelines in this publication are applicable to all federal systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems. State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate 5.
1. FIPS 199 provides security categorization guidance for nonnational security systems. CNSS Instruction 1253 provides similar guidance for national security systems.
2. Security authorization is the official management decision given by a senior organizational official to authorize operation of an system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
3. Reciprocity is the mutual agreement among participating organizations to accept each other’s security assessments in order to reuse system resources and/or to accept each other’s assessed security posture in order to share information. Reciprocity is best achieved by promoting the concept of transparency (i.e., making sufficient evidence regarding the security state of an system available, so that an authorizing official from another organization can use that evidence to make cost-effective, risk-based decisions regarding the operation and use of that system or the information it processes, stores, or transmits).
4. An executive agency is: (i) an executive department specified in 5 U.S.C., Section 101; (ii) a military department specified in 5 U.S.C., Section 102; (iii) an independent establishment as defined in 5 U.S.C., Section 104(1); and (iv) a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91. In this publication, the term executive agency is synonymous with the term federal agency.
5. In accordance with the provisions of FISMA and OMB policy, whenever the interconnection of federal systems to systems operated by state/local/tribal governments, contractors, or grantees involves the processing, storage, or transmission of federal information, the information security standards and guidelines described in this publication apply. Specific information security requirements and the terms and conditions of the system interconnections, are expressed in the Memorandums of Understanding and Interconnection Security Agreements established by participating organizations.