Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 800-37 Rev. 2

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Date Published: December 2018

Supersedes: SP 800-37 Rev. 1 (February 2010 (Updated 6/5/2014)); White Paper (6/3/2014)

Author(s)

Joint Task Force

Abstract

Keywords

assess; authorization to operate; authorization to use; authorizing official; categorize; common control; common control authorization; common control provider; continuous monitoring; control assessor; control baseline; cybersecurity framework profile; hybrid control; information owner or steward; information security; monitor; ongoing authorization; plan of action and milestones; privacy; privacy assessment report; privacy control; privacy plan; privacy risk; risk assessment; risk executive function; risk management; risk management framework; security; security assessment report; security control; security engineering; security plan; security risk; senior agency information security officer; senior agency official for privacy; supply chain risk management; system development life cycle; system owner; system privacy officer; system security officer; system-specific control.
Control Families

Security Assessment and Authorization; Configuration Management; Planning; Program Management; Risk Assessment;

Documentation

Publication:
SP 800-37 Rev. 2 (DOI)
Local Download

Supplemental Material:
None available

Related NIST Publications:
ITL Bulletin

Document History:
Draft SP 800-37 Rev. 2 (9/28/17)
Draft SP 800-37 Rev. 2 (5/9/18)
Draft SP 800-37 Rev. 2 (10/2/18)
SP 800-37 Rev. 2 (12/20/18)