NIST SP 800-37 (Risk Management Framework for Information Systems)

NIST Special Publication 800-37 Revision 2 (2018), "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," defines the federal government's Risk Management Framework (RMF) — the mandatory process for authorizing federal information systems under FISMA 2014, and a widely adopted model in defense contracting (DFARS), financial regulation, and critical infrastructure. The RMF comprises six steps: Prepare (establish context, assign roles, and conduct organization- and system-level risk assessments), Categorize (classify the system using FIPS 199 / NIST SP 800-60), Select (choose a tailored baseline of controls from NIST SP 800-53), Implement (deploy controls and document implementation), Assess (evaluate control effectiveness), and Authorize (senior official formally accepts residual risk), with an ongoing Monitoring step running continuously post-authorization.

System categorization (Step 2) using FIPS 199 and SP 800-60 is the technical foundation of RMF. Systems are categorized as Low, Moderate, or High for confidentiality, integrity, and availability separately, with the overall categorization being the "high-water mark" — the highest of the three values. The categorization drives control baseline selection (Step 3): Low systems receive the SP 800-53 Low Baseline (approximately 110 controls), Moderate systems the Moderate Baseline (approximately 270 controls), and High systems the High Baseline (approximately 330+ controls). Tailoring — adding, removing, or modifying controls based on system-specific factors — is documented in the System Security Plan (SSP), which becomes the master authorization package document along with the Security Assessment Report (SAR) and Plan of Action and Milestones (POA&M).

RMF Revision 2's most significant change from Rev 1 was the addition of a Prepare step and the integration of privacy into the framework alongside security — with NIST SP 800-53 Rev 5's consolidated security and privacy control catalog providing controls for both dimensions. The Authorize step produces an Authorization to Operate (ATO) — the formal senior official acceptance of residual risk — or a Denial of Authorization to Operate (DATO). ATOs are time-limited, typically one or three years, and are re-executed at expiration or when significant system changes occur. Continuous monitoring (Step 6, Ongoing) using automated security control assessment (SCAP, OVAL, XCCDF) provides ongoing assurance between formal re-authorization cycles, documented through automated scan results integrated into the organization's ISCM (Information Security Continuous Monitoring) program.

We deliver RMF implementations for federal and defense contractor systems from FIPS 199 categorization through ATO package development, using automated SCAP scanning to populate control assessment evidence and managing POA&M lifecycle in dedicated risk tracking tooling. Our continuous monitoring architecture integrates SIEM, vulnerability management, and configuration compliance scanning into unified ISCM dashboards aligned to OMB A-130 requirements.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.