NIST 800-37 Assessment

Is it right for your business?

NIST 800-37 is a special publication that aims to transform the traditional Certification and Accreditation (C&A) process for federal information systems into a six-step Risk Management Framework (RMF).

The core concepts and benefits of NIST 800-37 compliance include: 

  • Implementation of robust, enhanced, and continuous security monitoring.
  • Near-real-time risk management and ongoing information system authorization.
  • Provision of essential information for senior leaders to make cost-effective, risk-based decisions.
  • Incorporation of risk management principles and best practices into organization-wide strategic planning considerations, core missions and business processes.
  • Integration of information security into the enterprise architecture and system development life cycle.
  • Emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems.
  • Connection of risk management processes at the information system level to risk management processes at the organization level.
  • Responsibility and accountability for deployed and inherited security controls.

Applying the Risk Management Framework

The six-step RMF approach emphasizes the importance of security control effectiveness within information systems and the infrastructure supporting those systems. Application of the RMF, by both internal and external control providers, ensures that the security capabilities provided by the controls can be inherited by information system owners with a degree of assurance appropriate for their information protection needs. 

Although the steps are listed in order, it is possible — and often more time- and cost-efficient — for an organization to deviate from this sequence and execute the steps according to their established system development life cycle processes. A CyberSheath-led security control assessment can help you to determine the most suitable sequence for your organization. 

The Risk Management Framework (RMF)

NIST 800-37 enables organizations to achieve these outcomes via the Risk Management Framework (RMF), a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

Risk Management Framework

The RMF is made up of six steps.

  1. Categorize the information system and the information processed, stored, and transmitted by that system based on impact analysis.
  2. Select an initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed, based on an organizational assessment of risk and local conditions.
  3. Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  4. Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  5. Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
  6. Monitor the security controls in the information system on an ongoing basis, including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.