NIST SP 800-37 Rev. 2 — Risk Management Framework (RMF)

Overview

NIST SP 800-37Revision 2, known as the Risk Management Framework (RMF), is astructured risk management approach that guides organizations inselecting, implementing, and continuously monitoring cybersecurityand privacy controls to manage system and organizational risks. Theframework establishes a process for integrating security and privacyinto the system development life cycle, supporting compliance andrisk decision-making.

Published by theNational Institute of Standards and Technology (NIST), the RMF iswidely used by U.S. federal agencies, contractors, and organizationsseeking to align with government cybersecurity requirements. Itcovers risk assessment, security control selection, implementation,assessment, authorization, and continuous monitoring to enhance theprotection of information systems and data.

Organizationstypically adopt the NIST RMF by incorporating its steps into theircybersecurity programs, mapping controls to NIST SP 800-53 or otherstandards, and supporting audit readiness. The framework enablesconsistent risk-informed decisions, effective compliance management,and integration with broader regulatory, security, and privacyecosystems such as FISMA and FedRAMP.

Why it Matters

The NIST RiskManagement Framework equips organizations with a systematic processto integrate security and privacy throughout the system lifecycle.

Key benefitsinclude:

•  Strengthen risk-based decision-making

Enable moreconsistent, informed risk management choices aligned withorganizational priorities and operational requirements.

•  Enhance compliance support

Supportadherence to government and industry regulations by establishing adefensible, repeatable approach to cybersecurity and privacycontrols.

•  Promote continuous monitoring

Facilitateongoing assessment and mitigation of evolving threats by embeddingmonitoring practices in daily operations.

•  Increase audit readiness

Documentsecurity activities and controls in a structured way that simplifiesaudits and demonstrates due diligence to stakeholders.

•  Improve protection of sensitive data

Reduce thelikelihood and impact of data breaches by applying controls tailoredto protect critical assets and information.

How it Works

NIST SP 800-37Rev. 2 establishes the Risk Management Framework (RMF) as astructured, iterative lifecycle process. The RMF integrates a set ofsteps—categorize information systems, select security controls,implement controls, assess effectiveness, authorize operations, andmonitor controls—creating a continuous cycle for managingorganizational risk. This framework directly references controlcatalogs, such as those in NIST SP 800-53, to support effective riskmanagement and governance.

In practice,organizations apply the RMF by first classifying their assets anddetermining appropriate security controls based on risk assessments.Teams implement and document these controls, conduct securityassessments to evaluate control effectiveness, and maintaincompliance through ongoing authorization and monitoring activities.The RMF also facilitates alignment with broader governance programsand regulatory requirements by providing a repeatable structure forcompliance assessments and ongoing oversight of security practices.

Organizationscan operationalize the RMF using SmartSuite by leveraging integratedcontrol libraries, maintaining dynamic risk registers, and automatingpolicy governance processes. SmartSuite enables streamlined evidencecollection, compliance tracking, and remediation workflows,supporting audit readiness and continuous monitoring. Reportingdashboards further allow security and compliance teams to evaluaterisk management practices and monitor organizational security postureover time.

Key Elements

•  System Development Life Cycle Integration

Establishesalignment of security and privacy risk processes within theorganization’s system development methodology.

•  Risk Assessment and Categorization

Describescategorization of information systems based on potential impactlevels and initial risk analysis.

•  Security and Privacy Control Selection

Specifies theprocess for identifying, tailoring, and documenting safeguards fromestablished control baselines.

•  Control Implementation Architecture

Outlinesstructured deployment and configuration of approved security andprivacy measures within environments.

•  Assessment and Validation Activities

Detailsmechanisms for evaluating control effectiveness through testing,review, and analysis.

•  Authorization Process Structure

Defines formalprocedures for system authorization based on assessed risks andcompliance evidence.

•  Continuous Monitoring Framework

Describesongoing monitoring and reporting requirements to manage changes inrisk posture over time.

Framework Scope

NIST SP 800-37Rev. 2 — Risk Management Framework is implemented by federalagencies, government contractors, and organizations managingsensitive or regulated information systems. The framework governsrisk management processes for IT systems and cloud environments,typically during regulatory compliance, system development, or whenenhancing security governance and supporting assurance programs.

Framework Objectives

NIST SP 800-37Rev. 2 Risk Management Framework (RMF) provides a comprehensiveprocess for managing cybersecurity and privacy risks acrossinformation systems.

•  Enhance risk management practices to address evolvingcybersecurity and privacy threats

•  Establish effective security controls to protect critical dataand organizational assets

•  Strengthen governance and oversight of security and privacyprogram operations

•  Promote regulatory compliance through integration with federaland industry requirements

•  Improve operational resilience by enabling continuous monitoringand timely risk response

•  Support audit readiness with documented control assessment andrisk management actions NIST SP 800-37 Rev. 2 (RMF) provides arisk-based authorization process that maps to controls in NIST SP800-53 Rev. 5 and supports FedRAMP authorizations, while aligningwith the NIST Cybersecurity Framework and ISO/IEC 27001 forgovernance. Organizations apply RMF for federal accreditation,regulatory compliance, risk governance, and operational securityimprovements.

Common Framework Mappings

Organizationsmap NIST SP 800-37 Rev. 2 to complementary standards and controls tostreamline risk management, demonstrate compliance, and alignsecurity controls across governance, auditing, and cloudauthorization programs.

Mappedframeworks include:

CIS CriticalSecurity Controls

FedRAMP

ISO/IEC 27001

ISO/IEC 27002

ISO/IEC 27701

NISTCybersecurity Framework

NIST SP 800-30

NIST SP 800-53Rev. 5