Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-37 Rev. 2

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Date Published: December 2018

Supersedes: SP 800-37 Rev. 1 (06/05/2014); CSWP 3 (06/03/2014)


Joint Task Force



assess; authorization to operate; authorization to use; authorizing official; categorize; common control; common control authorization; common control provider; continuous monitoring; control assessor; control baseline; cybersecurity framework profile; hybrid control; information owner or steward; information security; monitor; ongoing authorization; plan of action and milestones; privacy; privacy assessment report; privacy control; privacy plan; privacy risk; risk assessment; risk executive function; risk management; risk management framework; security; security assessment report; security control; security engineering; security plan; security risk; senior agency information security officer; senior agency official for privacy; supply chain risk management; system development life cycle; system owner; system privacy officer; system security officer; system-specific control.
Control Families

Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment


Download URL

Supplemental Material:
None available

Related NIST Publications:
ITL Bulletin

Document History:
09/28/17: SP 800-37 Rev. 2 (Draft)
05/09/18: SP 800-37 Rev. 2 (Draft)
10/02/18: SP 800-37 Rev. 2 (Draft)
12/20/18: SP 800-37 Rev. 2 (Final)