NIST 800-37 Risk Management Framework (RMF) Publication Overview

This blog provides an overview of the NIST 800-37 Iterations and how the Risk Management Framework has evolved in the past decades since it was first drafted in 2002.

In 2002,  the one hundred and seventh (107th) Congress and the President enacted the E-Government Act (Public Law 107-347) into law, those recognizing the importance of information security as it pertains to the economic and national security interest.  The E-Government Act included the Federal Information Security Management Act (FISMA) 44 U.S.C. § 3541, which is a legislation specific to the United States of America that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. 

As part of the process,  NIST and other agencies were assigned the responsibility of developing the necessary guidance by incorporating policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. Since then, NIST has taken the lead on developing all of the required guidance for agencies to modify as necessary and apply to their unique environments. 

NOTE: This law has been replaced by the Federal Information Security Modernization Act of 2014 (Pub.L. 113–283), sometimes known as FISMA2014 or FISMA Reform. FISMA2014 struck subchapters II and III of chapter 35 of title 44, United States Code, amending it with the text of the new law in a new subchapter II (44 U.S.C. § 3551).

First iteration of NIST 800-37 Published in 2002


The initial Iteration for NIST 800-37 was titled “Guide for the Security Certification & Accreditation of Federal Information Systems” and it was published in May 2004. This version didn’t incorporate a breakdown of tiers, but it focus on four (4) phases.

Each phase noted above can be summarized as follows:




This phase consisted of three (3) tasks:

  1. preparation;
  2. notification and resource identification; and
  3. System security plan analysis, update, and acceptance.


The purpose of this phase is to ensure that the authorizing official and senior agency information security officer are in agreement with the contents of the system security plan, including the system’s documented security requirements, before the certification agent begins the assessment of the security controls in the information system.

Security Certification Phase

This phase consisted of two (2) tasks:

  1. security control assessment; and
  2. Security certification documentation.


The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system. Upon successful completion of this phase, the authorizing official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals—and thus, will be able to render an appropriate security accreditation decision for the information system.

Security Accreditation Phase

This phase consisted of two (2) tasks:

  1. security accreditation decision; and
  2. Security accreditation documentation.


The purpose of this phase is to determine if the remaining known vulnerabilities in the information system (after the implementation of an agreed-upon set of security controls) pose an acceptable level of risk to agency operations, agency assets, or individuals. Upon successful completion of this phase, the information system owner will have: (i) authorization to operate the information system; (ii) an interim authorization to operate the information system under specific terms and conditions; or (iii) denial of authorization to operate the information system.

Continuous Monitoring Phase

This phase consists of three (3) tasks:

  1. configuration management and control;
  2. security control monitoring; and
  3. Status reporting and documentation.


The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle of the information system.


First Revised Version


On February 2010, NIST revised the initial iteration noted above and renamed it to “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”. The risk management process described in this publication changes the traditional focus of C&A as a static, procedural activity to a more dynamic approach that provides the capability to more effectively manage information system-related security risks in highly diverse environments of complex and sophisticated cyber threats, ever-increasing system vulnerabilities, and rapidly changing missions.

This iteration incorporates the following RMF characteristics:

  • Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
  • Encourages the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
  • Integrates information security into the enterprise architecture and system development life cycle;
  • Provides emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
  • Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function); and
  • Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).

As part of this revision, the RMF Tiers were introduced, those further enhancing the process. There’s three (3) key Tiers are:



Tier 1: Organization (Governance)

This tier addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy that includes:

  1. the techniques and methodologies the organization plans to employ to assess information system related security risks and other types of risk of concern to the organization;
  2. the methods and procedures the organization plans to use to evaluate the significance of the risks identified during the risk assessment;
  3. the types and extent of risk mitigation measures the organization plans to employ to address identified risks;
  4. the level of risk the organization plans to accept (i.e., risk tolerance);
  5. how the organization plans to monitor risk on an ongoing basis given the inevitable changes to organizational information systems and their environments of operation; and
  6. The degree and type of oversight the organization plans to use to ensure that the risk management strategy is being effectively carried out.


As part of the overall governance structure established by the organization, the risk management strategy is propagated to organizational officials and contractors with programmatic, planning, developmental, acquisition, operational, and oversight responsibilities

Tier 2: Mission/Business Process (Information and Information Flows)

This tier addresses risk from a mission and business process perspective and is guided by the risk decisions at Tier 1. Tier 2 activities are closely associated with enterprise architecture and include:

  1. defining the core missions and business processes for the organization (including any derivative or related missions and business processes carried out by subordinate organizations);
  2. prioritizing missions and business processes with respect to the goals and objectives of the organization;
  3. defining the types of information that the organization needs to successfully execute the stated missions and business processes and the information flows both internal and external to the organization;
  4. developing an organization-wide information protection strategy and incorporating high-level information security requirements into the core missions and business processes; and
  5. Specifying the degree of autonomy for subordinate organizations (i.e., organizations within the parent organization) that the parent organization permits for assessing, evaluating, mitigating, accepting, and monitoring risk.

Tier 3: Information Systems (Environment of Operation)

This tier addresses risk from an information system perspective and is guided by the risk decisions at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed safeguards and countermeasures (i.e., security controls) at the information system level.


Information security requirements are satisfied by the selection of appropriate management, operational, and technical security controls from NIST Special Publication 800-53. The security controls are subsequently allocated to the various components of the information system as system-specific, hybrid, or common controls in accordance with the information security architecture developed by the organization.


Security controls are typically traceable to the security requirements established by the organization to ensure that the requirements are fully addressed during design, development, and implementation of the information system. Security controls can be provided by the organization or by an external provider. Relationships with external providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain arrangements.


While the above Tiers are briefly noted, the publication itself denotes that the RMF process describe within focuses mainly on Tier 3 as follows:

The RMF process described in this publication and illustrated in Figure 2-2 below is primarily tied to Tier 3: Information Systems. Unlike the initial C&A process described on the first iteration, this process incorporates a total of six (6) steps.    

The steps noted can be summarized as follows:



Step 1: Categorize Information System

Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis

Step 2: Select Security Controls

Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

Step 3: Implement Security Controls

Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

Step 4: Assess Security Controls

Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system

Step 5: Authorize Information System

Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6: Monitor Security Controls

Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

The new and improved process noted in this iteration provided a better overview on how the ERM process should be implemented; however, it failed to fully address the importance of incorporating Tier 1 & Tier 2 as part of Tier 3.

One of the biggest issues today is that organizations are focusing mainly on Tier 3 and fail to incorporate a proper Enterprise Architecture Blueprint that is part of Tier 2 based on Tier 1 assessment.


Second Revised Version – Current


The current and final iteration was issued on December 2018. This publication was renamed to “Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy”.  This new iteration incorporates the following seven major objectives:

  1. To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  2. To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  3. To demonstrate how the NIST Cybersecurity Framework [NIST CSF] can be aligned with the RMF and implemented using established NIST risk management processes;
  4. To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
  5. To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1 [SP 800-160 v1], with the relevant tasks in the RMF;
  6. To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  7. To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5.

In this iteration, NIST incorporated a new step that provides additional granularity on the integration of Tier 1 and Tier 2 prior to applying Tier 3. The addition of the Prepare step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.

The primary objectives for institutionalizing organization-level and system-level preparation are:

  1. To facilitate effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level;
  2. To facilitate organization-wide identification of common controls and the development of organizationally-tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection;
  3. To reduce the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services;
  4. To reduce the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk; and
  5. To identify, prioritize, and focus resources on the organization’s high value assets (HVA) that require increased levels of protection—taking measures commensurate with the risk to such assets.

By achieving the above objectives, organizations can simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks. Organizations implementing the RMF will be able to:

    1. Use the tasks and outputs of the Organization-Level and System-Level Prepare step to promote a consistent starting point within organizations to execute the RMF;
    2. Maximize the use of common controls at the organization level to promote standardized, consistent, and cost-effective security and privacy capability inheritance;
    3. Maximize the use of shared or cloud-based systems, services, and applications to reduce the number of authorizations needed across the organization;
    4. Employ organizationally-tailored control baselines to increase the speed of security and privacy plan development and the consistency of security and privacy plan content; - Employ organization-defined controls based on security and privacy requirements generated from a systems security engineering process;
    5. Maximize the use of automated tools to manage security categorization; control selection, assessment, and monitoring; and the authorization process;
    6. Decrease the level of effort and resource expenditures for low-impact systems if those systems cannot adversely affect higher
    7. impact systems through system connections;
    8. Maximize the reuse of RMF artifacts (e.g., security and privacy assessment results) for standardized hardware/software deployments, including configuration settings;
    9. Reduce the complexity of the IT/OT infrastructure by eliminating unnecessary systems, system components, and services — employing the least functionality principle; and
    10. Make the transition to ongoing authorization a priority and use continuous monitoring approaches to reduce the cost and increase the efficiency of security and privacy programs.

Recognizing that the preparation for RMF execution may vary from organization to organization, achieving the above objectives can reduce the overall IT/OT footprint and attack surface of organizations, promote IT modernization objectives, conserve resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.


For the past decade, CyberAdeptness personnel has emphasized the importance of incorporating Tier 1 & Tier 2 as part of the Risk Management Process by denoting the importance of an Enterprise Level Assessment; however, it has gone on deaf ears. While NIST has done an amazing job continuously updating the process to incorporate additional guidance on Tier 1 & Tier 2, organizations- whether government or non-government- still fail to grasp the importance of implementing the Risk Management Framework correctly and instead continue to focus on Tier 3 and the Cybersecurity Framework, which is simply an addition to the NIST Risk Management process, and not a replacement.

How can we help your organization?

CyberAdeptness processes have been in the making since 2006 and have always focused on the integration of Tier 1 & Tier 2 into the equation from a Technical Architecture/Engineering perspective. These tiers are essential, as they differ per organization, and provide the blueprint for the organizations' Security Program across the Enterprise level, those limiting risk and expenses across the board to what truly matters by re-focusing efforts towards… mission critical systems and privilege users.

If your organization is interested on learning more about the assessments, feel free to send us a message via our website’s Contact Us for a 30 min free consultation.

By Karen Baez | on Saturday, February 15, 2020 10:36

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL :

This post's comments feed