This publication provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.

NIST SP 800-37 This 2014 Version is out of date and was SUPERCEDED ON 28 SEPTEMBER 2017. A full copy of all the pertinent cybersecurity standards is available on DVD-ROM in the CyberSecurity Standards Library disc which is available at Amazon.com.

The book provides the complete strategic understanding requisite to allow a person to create and use the RMF process recommendations for risk management. This will be the case both for applications of the RMF in corporate training situations, as well as for any individual who wants to obtain specialized knowledge in organizational risk management. It is an all-purpose roadmap of sorts aimed at the practical understanding and implementation of the risk management process as a standard entity. It will enable an "application" of the risk management process as well as the fundamental elements of control formulation within an applied context.

The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security controlselection and implementation, security control assessment, information system authorization, and security control monitoring.

NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems is prepared by The National Institute of Standards and Technology. The purpose of this publication is to provide guidelines for applying the Risk ManagementFramework to federal information systems to include conducting the activities of securitycategorization,9 security control selection and implementation, security control assessment,information system authorization,10 and security control monitoring. The guidelines have beendeveloped:To ensure that managing information system-related security risks is consistent with theorganization's mission/business objectives and overall risk strategy established by the seniorleadership through the risk executive (function);To ensure that information security requirements, including necessary security controls, areintegrated into the organization's enterprise architecture and system development life cycleprocesses;To support consistent, well-informed, and ongoing security authorization decisions (throughcontinuous monitoring), transparency of security and risk management-related information,and reciprocity; and To achieve more secure information and information systems within the federal through the implementation of appropriate risk mitigation strategies.Disclaimer This hardcopy is not published by National Institute of Standards and Technology (NIST), the US Government or US Department of Commerce. The publication of this document should not in any way imply any relationship or affiliation to the above named organizations and Government.