How to Implement NIST 800-37, Revision 2, RMF: Complete Guide

What is NIST 800-37?

NIST released Special Publication 800-37, the first formal Risk Management Framework (RMF), in February 2010. Developed in collaboration with the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems, the RMF standardized how agencies categorized systems, selected and implemented security controls, assessed effectiveness and authorized operations.

As federal directives began pushing for unified, repeatable and accountable approaches to managing information security risk, NIST 800-37 was created to help organizations make risk management into a continuous, lifecycle-driven process rather than a one-time compliance exercise. In 2016, the Office of Management and Budget (OMB) updated Circular A-130, formally establishing privacy as a co-equal pillar alongside security.

This guide breaks down NIST SP 800-37 Rev. 2 into clear, practical steps for implementation. It explains how organizations can operationalize the RMF, avoid common pitfalls, and use its principles to improve their security posture, strengthen governance and support modern IT and cloud environments.

What is NIST 800-37 Revision 2?

NIST SP 800-37 Revision 2, released in December 2018, expanded the original framework’s scope to reflect modern IT environments, strengthened governance expectations and incorporated security- and privacy-by-design principles across system development, operations and continuous monitoring.

At its core, the NIST 800-37 Rev. 2 RMF provides a structured, repeatable, seven-step process to identify risks early, manage them continuously and communicate them clearly to decision-makers.

Who Uses NIST 800-37?

Originally intended for U.S federal agencies and contractors under the Federal Information Security Modernization Act (FISMA), the NIST RMF has become a widely adopted best practice across public and private sectors alike. Today, most organizations use NIST 800-37 because it aligns with other requirements and frameworks like the NIST Cybersecurity Framework (CSF).

Where NIST RMF Makes Sense

Category	Details
Role	Compliance Officers, CISOs, IT Leaders Security Architects and Privacy Officers GRC and Risk Management Professionals
Industry	Government (Federal, State, Local, Tribal) Healthcare and Public Health Financial Services Higher Education Critical Infrastructure (Energy, Defense, Transportation, Telecom)
Size	All organizational sizes—from small SaaS firms to global enterprises
Geographic Location	Mandatory in the U.S. for federal information systems Voluntarily adopted globally by multinational organizations
Exemptions & Flexibility	Non-federal entities are not required to use RMF- Widely used as a best-practice baseline due to flexibility, maturity and compatibility (ISO 27001, SOC 2, HIPAA, PCI DSS, etc.)

Why NIST 800-37 RMF Matters

The NIST 800-37 RMF stands out among others because it is a full governance and engineering model designed to bring consistency, accountability and structure to how organizations manage security and privacy risk.

System Development Life Cycle (SDLC) Integration

The framework embeds protective considerations into planning, architecture, design, development, deployment, operations and even decommissioning. By aligning with the SDLC, the RMF ensures that security and privacy mature alongside the system itself.

Role-Driven Accountability

The RMF establishes explicit roles, system owners, engineers, ISSOs, privacy officers, risk executives, CIOs, CISOs and Authorizing Officials, each with well-defined responsibilities. This removes ambiguity around who owns which controls or risk decisions and fosters transparent, traceable governance.

Continuous Monitoring

Instead of relying on sporadic audits or point-in-time reviews, the framework supports ongoing evaluation of control performance and real-time situational awareness. This lets leaders base decisions on current conditions, detect deviations quickly and maintain an accurate understanding of their risk posture.

Flexibility

The RMF is both policy- and technology-neutral, allowing it to adapt to highly diverse environments. Whether an organization operates cloud-native workloads, maintains hybrid or on-premises systems or deploys software through DevOps pipelines, the RMF can be tailored in rigor and depth to align with mission needs, system complexity and risk tolerance.

That flexibility is especially critical in environments where:

New threats emerge rapidly.
Systems are continually updated and deployed.
Security and privacy requirements overlap.
Cloud-first and modernization efforts are underway.

Enterprise-Wide, Multi-Tier Alignment

Finally, the RMF links system-level implementation to mission-level execution and organizational-level governance, ensuring that technical decisions support broader strategic priorities. This alignment keeps risk management connected to real business outcomes.

Together, these characteristics make the RMF a powerful, flexible and modern model for governing risk.

What’s New in NIST SP 800-37 Revision 2?

NIST SP 800-37 Revision 2 introduced seven major updates and one significant addition that fundamentally reshape how organizations govern and operationalize security and privacy across their information systems and risk management programs.

Update	Objective
Align Governance and Operations	Strengthens communication between senior leadership and operational security teams, ensuring risk decisions are strategic, business-aligned and tied directly to mission priorities.
Institutionalize Pre-Implementation Preparation	Embeds essential preparatory activities across all levels of risk management for more efficient and cost-effective RMF execution and compliance.
Align with the NIST Cybersecurity Framework (CSF)	Clearly demonstrates how the RMF and NIST CSF can work together seamlessly through established NIST processes, enabling robust and consistent cybersecurity governance.
Integrate Privacy Risk Management	Privacy is formally incorporated into every step of the RMF. Security and privacy controls are now managed through the same lifecycle, helping organizations protect individuals’ data as part of a unified risk strategy.
Advance Secure Systems Engineering	Explicitly connects the RMF to system lifecycle processes defined in NIST SP 800-160, promoting secure software and system development from design through deployment.
Embed Supply Chain Risk Management (SCRM)	Incorporates supply chain risk considerations into the RMF to tackle pervasive threats like counterfeit components, tampering, unauthorized production and malicious code, bolstering supply chain security.
Support Organization-Generated Control Selection	The update recognizes that many organizations need more flexibility than a baseline-only model. Revision 2 enables organizations to develop customized control sets, supported by the expanded control catalog introduced in NIST SP 800-53 Revision 5.
The New ‘Prepare’ Step	The Prepare step establishes foundational readiness before any RMF activities begin. It ensures organizations clarify mission context, define roles, understand data sensitivity, set enterprise expectations and coordinate priorities upfront. This reduces rework, aligns teams early and enables more efficient, consistent execution of all subsequent RMF steps.

How to Use NIST 800-37 with NIST 800-39

NIST SP 800-37 RMF is designed to work within the broader organizational risk management approach described in NIST SP 800-39. It explains how leaders, mission owners and system teams share responsibility for managing risk across the entire organization. The RMF works effectively when it is grounded in the organization-wide principles introduced in NIST 800-39.

The 3 Tier Governance Model in NIST 800-39

NIST 800-39 organizes risk management into three interconnected tiers and emphasizes continuous bidirectional communication between them so that risk decisions stay aligned across the entire organization.

Tier 1 – Organization Level: Governance, risk tolerance and enterprise-wide direction.
Tier 2 – Mission / Business Process Level: Business processes, policies and capabilities that support organizational goals.
Tier 3 – Information System Level: Implementation and operation of security and privacy controls within individual systems.

Organization-wide Risk Management Approach, NIST 800-39

Tier 1 (Organization)

Tier 1 sets the governance, risk tolerance and enterprise priorities that the RMF depends on. These decisions establish the criteria used in early RMF steps, such as categorizing systems, selecting controls and defining authorization expectations.

Tier 2 (Mission/Business Process)

Tier 2 translates organizational strategy into policies, processes and capabilities that RMF teams follow when designing and implementing systems. The RMF relies on Tier 2 to ensure that its activities align with mission needs and are applied consistently across business processes.

Tier 3 (Information System)

Tier 3 is where the RMF is executed in full. System teams implement controls, assess them, authorize systems and continuously monitor risk, all based on the guidance and constraints set at Tiers 1 and 2. Insights from RMF activities at this tier flow back upward to refine governance and strategy.

Together, these tiers keep RMF activities grounded in organizational goals while also giving leadership visibility into emerging risks and operational realities. When the groundwork at Tiers 1 and 2 is missing, system-level security becomes fragmented, costly and inefficient. Teams duplicate efforts, controls fail to align with mission needs and systems become difficult to secure or maintain.

But when all three tiers operate in harmony, information risk management becomes an embedded organizational discipline, shaping architecture, engineering, procurement, operations and every phase of the system life cycle.

Previously, we’ve explored NIST 800-39 in detail in our comprehensive guide. If you want a deeper look at the three-tier model, how risk moves across the organization and why strong governance structures matter, that resource offers a full breakdown.

Risk Management Framework Overview

NIST 800-37 RMF is composed of seven core steps, one foundational step and six lifecycle steps. Together, they form a repeatable, governance-centric process that embeds security and privacy into every system and service an organization depends on.

RMF Step	Goal	Description
1. Prepare	Establish readiness	Establish context for managing risk. Set organizational and system-level priorities. Ensure stakeholders and resources are aligned to execute the RMF.
2. Categorize	Understand impact	Analyze the system and its data. Assess the impact of loss of confidentiality, integrity or availability. Classify the system to guide control requirements.
3. Select	Choose controls	Select an initial set of security and privacy controls. Tailor the controls based on risk levels. Reduce risk to an acceptable and manageable level.
4. Implement	Apply controls	Deploy the selected controls within the system. Document how the controls are implemented. Ensure controls are integrated into the system’s operating environment.
5. Assess	Verify effectiveness	Evaluate whether controls are correctly implemented. Confirm they operate as intended. Validate that they meet the required security and privacy outcomes.
6. Authorize	Approve risk	Decide if system-related risks are acceptable. Base the decision on assessment findings. Formally approve the system or common controls for operation.
7. Monitor	Maintain oversight	Continuously monitor system controls. Assess changes in risk and environment. Conduct regular risk assessments and update documentation. Report on the security and privacy posture over time.

How to Implement the NIST RMF

Each step in the RMF is designed with a clear purpose, defined outcomes and specific tasks to achieve those outcomes. Organizations are expected to complete all RMF steps and associated tasks, except those explicitly marked optional. Although the RMF is presented as a sequence of steps, it is not strictly linear.

After the Prepare step, organizations often follow the steps in order when implementing the RMF for the first time. However, depending on the system type, leadership decisions or development approach (such as agile), it may be necessary to break from the sequence. Once an organization enters the Monitor step, changes in risk or system functionality may require revisiting earlier steps to reassess or adjust controls.

The RMF is designed to support this flexibility so teams can work efficiently while staying aligned with mission and business needs. Leadership must ensure the right resources are in place so the framework can be executed consistently across the organization.

How to Integrate NIST RMF with Other Frameworks

Organizations that already follow frameworks like ISO 27001, HIPAA or FISMA can often map their existing requirements into the RMF. NIST SP 800-37 is built to integrate seamlessly with:

NIST SP 800-53, which provides the detailed control catalog that the RMF uses as its backbone.
FISMA requirements for governance and reporting.
NIST CSF, which pairs its outcome-based profiles with RMF’s step-by-step workflows.
Industry-specific frameworks like HIPAA or ISO 27001.

7 Steps for NIST 800-37 Compliance

The seven steps defined in the RMF provide a structured, repeatable mechanism to manage modern risks effectively. Each RMF task naturally aligns with core SDLC activities so teams can generate the evidence needed for authorization packages using existing SDLC artifacts rather than creating separate, duplicative documentation. As a result, senior leaders get reliable, risk-based information to support informed decision-making.

Step 1: Prepare

The purpose of the Prepare step is to ensure the organization is ready to manage security and privacy risks before starting the formal RMF process. It involves establishing the necessary groundwork across all levels, from the organization as a whole to mission and business processes and down to individual information systems, so that the RMF can be applied effectively.

The Prepare step takes place across three levels of the organization, ensuring that risk decisions at the lowest level are always tied back to organizational priorities at the top.

RMF Step 1: Prepare Tasks — Organization Level

Task	Key Actions and Expected Outcome	Primary Owner
P-1: Identify Risk Management Roles	Identify all required security and privacy roles (e.g., CIO, CISO, SAOP, AO). Assign individuals or groups to each role. Document role assignments and responsibilities. Ensure no conflicts of interest exist when assigning the same individual to multiple risk management roles.	Head of Agency, CIO, SAOP
P-2: Establish Risk Management Strategy	Develop a risk management strategy based on mission and compliance needs. Define risk tolerance, assessment methods, the strategies for responding to risk, the process for consistently evaluating security and privacy risks across the enterprise and the approaches for monitoring risk over time. Include supply chain risk management approaches. Approve and document the strategy for organization-wide use.	Head of Agency
P-3: Conduct Organization-Wide Risk Assessment	Collect risk assessment data from system-level assessments, threat intelligence and supply chain sources. Combine the information into an enterprise risk profile. Use the profile to inform priorities, investments and risk mitigation strategies.	Risk Executive
P-4: Tailor Control Baselines (Optional)	Establish tailored control baselines or CSF Profiles that apply organization-wide. Document and publish these baselines so they can be used consistently across systems. Use tailored baselines when the organization’s mission, risk environment, or operating context differs from the assumptions used to create the standard NIST SP 800-53B baselines.	Mission or Business Owner, Risk Executive
P-5: Identify Common Controls	Identify controls that can be implemented once and inherited by multiple systems. Document common controls from any NIST SP 800-53 family and assign responsible common control providers. Ensure system owners have access to common control implementation and status.	Senior Agency Information Security Officer, SAOP
P-6: Prioritize Systems by Impact (Optional)	This task is carried out only after organizational systems have been categorized (Task C-1). Apply the high-water mark concept to each information-system categorized in accordance with FIPS 199 and FIPS 200 (low, moderate, high) based on business value, potential impact or risk. Prioritize higher-risk or mission-critical systems for resource allocation and authorization scheduling.	Risk Executive
P-7: Establish Continuous Monitoring Strategy	Establish how the organization will monitor the effectiveness of security and privacy controls across all systems. Define monitoring frequency, assessment methods, automation guidelines and reporting requirements. Approve and publish the strategy for enterprise use.	Risk Executive

RMF Step 1: Prepare — System Level

Task	Key Actions and Expected Outcome	Primary Owner
P-8: Mission or Business Focus	Identify the missions, business functions and processes the system supports. Elicit security and privacy needs from system stakeholders. Document requirements to ensure alignment with business objectives.	Mission or Business Owner
P-9: Identify System Stakeholders	Identify all individuals and groups who have an interest in the design, development, implementation, assessment, operation, maintenance or disposal of the system, including supply chain participants. Document stakeholders and their responsibilities. Establish communication channels to support security and privacy decisions.	Mission or Business Owner, System Owner
P-10: Identify Assets	Create a list of all assets the system must protect, including data, software, hardware and intangible elements like reputation. Organizations can document the asset list in the security and privacy plans.	System Owner
P-11: Determine Authorization Boundary	Authorizing officials must define the system’s authorization boundary with input from the system owner based on mission, management or budgetary responsibility. Document the boundary and dependencies to ensure clarity for control selection and risk decisions.	Authorizing Official
P-12: Identify Information Types	List all information types processed, stored or transmitted by the system. Use the NARA CUI Registry to identify all information types that require protection under the Controlled Unclassified Information (CUI) program. Confirm information types with the information owner or steward. Document information types that fall outside the CUI Registry or SP 800-60 Vol. 2 but are still relevant to the system’s operational context. Include the list in the system security and privacy plans.	System Owner, Information Owner
P-13: Identify Information Life Cycle	Analyze and document every stage of information flow within the system from collection to disposal. Use data flow diagrams or maps to visualize life cycle processes. Use life cycle data to inform control selection and risk assessments.	Senior Agency Official for Privacy, System Owner
P-14: Conduct System-Level Risk Assessment	Perform a system-level security and privacy risk assessment that evaluates threats, vulnerabilities and impacts. Incorporate asset criticality, supply chain considerations and external dependencies. Document assessment results for use in control selection and monitoring.	System Owner, System Security Officer, System Privacy Officer
P-15: Define Security and Privacy Requirements	Translate business and regulatory needs into documented security and privacy requirements. Align requirements with stakeholder priorities, laws and risk assessment results. Use requirements to guide control selection.	Mission or Business Owner, System Owner
P-16: Determine Enterprise Architecture Placement	Determine how the system fits into the organization’s enterprise architecture. Update architecture artifacts, which includes security and privacy, to reflect system placement and dependencies. Use placement to improve visibility, standardization and risk mitigation.	Mission or Business Owner, Enterprise Architect
P-17: Allocate Requirements	Allocate security and privacy requirements to system elements or environments of operation. Document which requirements are inherited, system-specific or hybrid controls. Use this allocation to guide control implementation and assessment.	Security Architect; Privacy Architect
P-18: Register System	Register the system in the organization’s management and tracking tools. Add the system to the organization-wide system inventory and update registration upon categorization. Use system registration to ensure governance and authorization visibility.	System Owner

Step 2: Categorize

The Categorize step determines the potential adverse impact on organizational operations and assets, individuals, other organizations and the Nation that could result from a loss of confidentiality, integrity or availability of organizational systems and the information they process, store and transmit. These impact determinations inform risk management activities across the organization.

Task	Key Actions and Expected Outcome	Primary Owner
C-1: Document System Description	Create a detailed description of the system, including purpose, architecture, users, components and connections. Avoid duplication whenever possible. Include this description in the security and privacy plans. Keep documentation updated throughout the SDLC as system characteristics change. Update system registration information with the system characterization information (Task P-18).	System Owner
C-2: Categorize Security	Determine impact levels for confidentiality, integrity and availability based on information types and mission impact. Organizations can use either FIPS 200 or CNSSI 1253 to do this. Document the final security categorization results in the system security plan and cross-reference them in the privacy plan if the system processes PII. Use the categorization results to drive security control selection, including baseline selection and tailoring decisions. Refine categorization results through impact-level prioritization (Task P-6) when multiple systems share the same impact level.	System Owner, Information Owner
C-3: Review and Approve Security Categorization	Submit the categorization to the Authorizing Official and Senior Agency Official for Privacy for review. Ensure the categorization aligns with organizational mission, risk strategy and high-value asset priorities. Receive AO guidance on any limitations or constraints that will apply to baseline tailoring in the Select step (Task S-2). Update the system registration record with the final approved categorization as required (Task P-18).	Authorizing Official or a Designated Representative

Step 3: Select

The Select step determines which security and privacy controls are needed to protect a system based on its risk level and impact. This step involves choosing, tailoring and documenting the controls that will keep the system secure and aligned with organizational policies and compliance requirements. By the end of this step, the organization will have a control baseline that reflects both NIST requirements and mission-specific needs.

Task	Key Actions and Expected Outcome	Primary Owner
S-1: Select Controls	Select the controls for the system and the environment of operation Use the baseline approach when a pre-defined control set from SP 800-53B meets the system’s general protection needs and provides consistency across the organization. Choose the organization-generated control selection approach when the system is highly specialized, narrowly scoped, or when starting from a full baseline is inefficient. Use the system’s security categorization results (Task C-2) and documented security and privacy requirements (Task P-15) to inform which security and privacy control baselines are appropriate. Use results from the privacy risk assessment (Task P-14) to select privacy controls that address both unauthorized and authorized system activities that may create privacy risks.	System Owner
S-2: Tailor Controls	Tailor the selected control baselines using mission needs, business functions, threats, security risks, privacy risks, supply chain risks, system type and organizational risk tolerance. Security, privacy and supply chain risk assessment results drive which controls need strengthening, modification or supplementation. Incorporate overlays, tailored baselines and Cybersecurity Framework Profiles to refine the control set.	System Owner
S-3: Allocate Security and Privacy Controls	Decide whether each control is system-specific, hybrid, or common and allocate it accordingly. Assign each control to the specific system elements responsible for providing the required security or privacy capability. Use architecture, categorization and risk assessment data to guide allocation decisions. Document allocation decisions clearly to support assessment, inheritance and authorization.	Security Architect, Privacy Architect
S-4: Document Planned Control Implementation	Document how every selected control will be implemented in the system. Specify implementation details for system-specific and hybrid controls. Include planned inputs, expected behavior and expected outputs for mechanism-based controls. Ensure the documentation supports assessment, traceability and SDLC integration. Leverage automation and existing documentation to reduce redundancy.	System Owner
S-5: Develop System-Level Continuous Monitoring Strategy	Define a system-level monitoring approach that aligns with the organization’s overall strategy. Specify assessment frequency, monitoring tools and reporting workflows. Obtain approval from the Authorizing Official and begin monitoring at system operation. Document and integrate the strategy into system plans.	System Owner
S-6: Plan Review and Approval	Review the security and privacy plans to ensure they are complete, consistent and meet all requirements. Ensure the review includes all required stakeholders. If gaps or inconsistencies exist, the AO or delegate directs the system owner or common control provider to revise and resubmit the plans. Use the approval as the gateway for moving into the Implement step of the RMF.

Step 4: Implement

The Implement step puts the chosen security and privacy controls into action. This includes applying technical, procedural and operational safeguards to the system and documenting how each control is implemented. The focus is on ensuring that security and privacy measures are correctly integrated into the system and ready to be assessed.

Task	Key Actions and Expected Outcome	Primary Owner
I-1: Implement Controls	Implement all selected security and privacy controls across system components and environments. Apply established engineering methodologies, risk-driven decision-making and mandatory configuration settings. Conduct initial control assessments during development to identify issues early. Ensure implementation follows the defined control baseline and risk strategy. Capture evidence of control implementation.	System Owner
I-2: Update Control Implementation Information	Document changes to planned control implementations based on the “as-implemented” state of controls. Revise descriptions of control inputs, expected behavior and outputs to reflect the real implementation. Record all deviations from the planned implementation and the reasons for those changes. Maintain version-controlled documentation to track how implemented controls have evolved.	System Owner

Step 5: Assess

The Assess step checks whether the controls have been correctly implemented and are working as intended. Using independent assessors or automated tools, the organization reviews the effectiveness of safeguards against likely threats. Any weaknesses are documented, validated and tracked, forming the basis for risk decisions.

Task	Key Actions and Expected Outcome	Primary Owner
A-1: Select Assessor	Select an independent, qualified assessor or assessment team to evaluate the system’s controls. Ensure assessor selection avoids conflicts of interest.	Authorizing Official
A-2: Develop Assessment Plan	Develop a security and privacy assessment plan that reflects how each control will be assessed. Decide whether to use a single integrated assessment plan or separate plans. Submit the assessment plan for review and approval by the authorizing official or their designated representative. Use the approved plan to set expectations for the assessment’s scope, methods and required level of effort.	Authorizing Official, Control Assessor
A-3: Assess Controls	Evaluate the effectiveness of each control through testing, examination, or interviews. Provide clear findings that document control effectiveness and identify deficiencies or vulnerabilities.	Control Assessor
A-4: Prepare Assessment Report	Create a security and privacy assessment report documenting results, evidence and risk implications. Include interim assessment results from earlier SDLC phases in the final report. Provide an executive summary that highlights key findings and recommended remediation actions. Submit the report for review to the system owner and AO.	Control Assessor
A-5: Conduct Remediation	Identify and document all control deficiencies that create security or privacy risks, including supply chain risks. Determine which deficiencies require immediate remediation based on organizational risk tolerance. Perform initial remediation actions where feasible using available resources. Update the security and privacy plans with accurate “as-remediated” control descriptions. Prepare an addendum that documents system owner or common control provider responses to findings.	System Owner
A-6: Develop POA&M	Document all planned remediation actions for control deficiencies in a formal Plan of Action and Milestones (POA&M). Define tasks, required resources, milestones and target completion dates for each remediation action. Ensure the authorizing official reviews and agrees with all planned remediation actions. Use the POA&M to track and monitor remediation progress across the organization.	System Owner

Step 6: Authorize

In the Authorize step, a senior leader formally decides whether the system has an acceptable level of risk and can operate. This decision is based on all the evidence gathered through assessment, packaged in a set of authorization documents. The goal is to ensure that executive leadership signs off on risk acceptance at a level aligned with organizational priorities and risk tolerance.

Task	Key Actions and Expected Outcome	Primary Owner
R-1: Prepare Authorization Package	Compile authorization package including system security plan, assessment report and POA&Ms. Submit the package to the Authorizing Official for risk review. Ensure the Senior Agency Official for Privacy reviews packages for systems processing PII before AO review.	System Owner
R-2: Conduct Risk Analysis	Review the authorization package to evaluate residual risk and system readiness. Assess whether risks align with organizational risk tolerance and strategy. Consult with assessment and system teams as needed to clarify findings. Organizations can use automated tools like Isora GRC to support and document the risk determination.	Authorizing Official
R-3: Risk Response	Decide on risk mitigation, risk acceptance or additional remediation based on analysis. Document all mitigation actions in the POA&M and track them to completion. Document risk decisions and guidance for the system owner. Only the authorizing official is permitted to accept risk, review deficiencies and determine whether any risks must be mitigated before authorization proceeds.	Authorizing Official
R-4: Authorization Decision	Make a formal, explicit authorization decision based on the full authorization package. The AO discusses the residual risk, dependencies and organizational risk tolerance with the Senior Accountable Official for Risk Management (SAORM) or the Risk Executive (Function). All authorization procedures for ongoing and periodic reauthorization must align with applicable laws, regulations, directives and organizational policies.	Authorizing Official
R-5: Authorization Reporting	Report authorization decisions to designated organizational officials. Report significant vulnerabilities or exploitable deficiencies identified during assessment or monitoring. When reporting significant risks, authorizing officials can use the NIST CSF Functions, Categories and Subcategories to structure or map the reported vulnerability.	System Owner

Step 7: Monitor

The Monitor step ensures that security and privacy controls continue to perform effectively over time. This includes ongoing assessment, change management and reporting, often supported through automation. Continuous monitoring supports near real-time risk awareness and allows systems to maintain authorization without repeating the entire RMF process from scratch.

Task	Key Actions and Expected Outcome	Primary Owner
M-1: Monitor System Changes	Track and document changes to the system or environment that may affect security or privacy controls. Detect and analyze both authorized and unauthorized changes. Document all changes and maintain alignment with authorization terms and conditions. Feed findings into the risk response process (Task M-3).	System Owner
M-2: Conduct Ongoing Assessments	Perform periodic assessments of control effectiveness based on the monitoring strategy (Task P-7) and (Task S-5). Ensure assessors maintain the required level of independence. Use automation where possible to increase frequency and reduce burden. Record results in assessment reports.	Control Assessor
M-3: Respond to Risk	Use organizational risk assessment results (Task P-3) and system-level risk assessment results (Task P-14) to guide ongoing risk response decisions. Update POA&M entries (Task A-4) with planned mitigation actions when risk response requires remediation. Trigger reassessment of modified controls (Task A-3) to confirm that new or enhanced controls are implemented correctly and operating as intended. Ensure controls added or modified during monitoring feed back into continuous monitoring requirements (Task M-2) for ongoing visibility.	Authorizing Official, System Owner
M-4: Update Documentation	Update all risk management artifacts continuously to reflect changes in controls, new assessment results and progress on remediation. Ensure updates accurately represent the system’s current security and privacy posture, because this data directly informs near real-time risk decisions and ongoing authorization. Use automated tools and program-wide management practices. Protect auditability and traceability by ensuring updates do not overwrite or destroy information required for oversight.	System Owner
M-5: Report Security and Privacy Posture	Document and report monitoring results according to the organization’s continuous monitoring strategy. Summarize all changes since the last reporting period and provide clear visibility into current risks and control effectiveness. Use automated dashboards or reporting tools. Determine whether reauthorization is needed by using posture reports to support decisions made by the AO, in consultation with the CIO, SAISO, SAOP and Risk Executive.	System Owner, SAISO, SAOP
M-6: Ongoing Authorization	Use organization-level and system-level continuous monitoring results to reassess control effectiveness on an ongoing basis. Review the system’s current security and privacy posture continuously to determine whether the risk remains acceptable or requires action. Decide whether to sustain, modify, or deny authorization based on updated risk information and posture reports. Communicate updated risk determinations to the Senior Accountable Official for Risk Management (SAORM) or Risk Executive. Leverage automated tools, dashboards and metrics to support near real-time risk determination and reporting.	Authorizing Official
M-7: System Disposal	Execute system disposal or decommissioning plan when retiring the system. Remove or disable controls and ensure secure data destruction or transfer. Update records and close monitoring activities. Review and assess inherited control relationships to identify any impacts caused by system removal. Ensure that system disposal complies with all applicable federal laws, regulations, policies and standards.	System Owner

NIST 800-37 RMF Roadmap

Preparation Activities

Before diving into the RMF, organizations need to lay the groundwork.

Inventory All Systems: Identify every information system, asset, or component that falls within scope. Categorize them based on their impact and risk exposure.
Define the Risk Governance Team: Appoint system owners, authorizing officials, common control providers, privacy officers and security assessors. Clearly assign RMF roles and remove conflicts of interest.
Build Control Baselines: Use organization-wide baselines and profiles to reduce duplication and standardize control implementations across systems.

Establish both organization-level and system-level readiness, focusing on common control inheritance and tailored baselines to streamline subsequent RMF steps.

Implementation Workflow

The RMF is structured in seven core steps, starting with Prepare and ending in Monitor. Each step is iterative and interconnected. Throughout the process:

Maintain a risk register to track threats, vulnerabilities and remediation progress.
Document every Action to support audit readiness, communication and lifecycle management.

Assessment Practices

A good assessment is both repeatable and defensible.

Use Validated Methodologies: Adopt security control assessment methods aligned with NIST SP 800-53A or recognized independent frameworks.
Leverage Automation: Continuous monitoring tools and scripts support near-real-time assessment of control implementation.
Retain Evidence: Collect artifacts and logs to back test results and support follow-up reviews by auditors and authorizing officials.

Required Documentation

Everything in RMF needs to be documented. The core required artifacts include:

System Security Plan (SSP): Describes the system, architecture, controls and environment of operation.
Security and Privacy Assessment Reports (SAR): Summarizes the results of control testing.
Plan of Action and Milestones (POA&M): Lists all known deficiencies, prioritized remediation tasks, owners and timelines.

Keeping documentation current is not just a regulatory requirement, it’s the key to ongoing authorization and continuous improvement.

Benefits of NIST 800-37

NIST 800-37 RMF helps organizations streamline implementation, adopt more innovative risk management methods and increase automation where possible.

Improved Risk Management

Stronger Risk Posture: The Prepare step creates a shared foundation for RMF activities at both the enterprise and system level. It enhances stakeholder alignment and reduces uncertainty during security planning and execution.
Organizational Risk Reduction: With structured categorization, tailored control baselines and common control inheritance, organizations experience fewer incidents, reduced downtime and improved resilience.

Greater Efficiency and Reduced Cost

Cut Duplication and Redundancy: Leveraging common controls across systems reduces time, effort and cost. Instead of reinventing the wheel, teams inherit approved controls from enterprise services or cloud providers.
Accelerated System Onboarding: Tailored baselines and reusable security documentation, such as control catalogs, SSPs and assessment reports, help standardize the security process across similar deployments.
Lower Burden for Low-Impact Systems: RMF allows reduced effort for systems with a lower risk profile—freeing resources to focus on critical systems and high-value assets.

Automation and Scalability

Increased Automation: Organizations can automate repetitive steps like categorization, control selection, assessment scheduling, continuous monitoring and authorization updates. This improves accuracy and frees up staff to focus on deeper analysis.
Continuous Monitoring → Ongoing Authorization: RMF supports a shift from static, periodic authorization to dynamic, ongoing authorization based on real-time readiness. This decreases long-term costs and reduces compliance fatigue.

Modern Architecture and Innovation

Optimized Use of Shared Services and Cloud Systems: RMF streamlines authorization for cloud environments, minimizing duplicate authorizations and enabling shared controls across multiple tenants.
Customized Control Engineering: Security and privacy controls can be tailored to organizational workstreams, ensuring alignment across both IT and OT environments.
Environment Simplification: The principle of least functionality reduces attack surface by removing unnecessary system components—making environments easier to secure and manage.

Organizational Credibility

Audit Readiness and Transparency: Standardized documentation and frequent monitoring lead to cleaner audits and faster responses to auditor requests.
Regulatory Alignment: The RMF directly supports compliance with frameworks such as FISMA, HIPAA, FedRAMP, ISO 27001 and more.
Market Confidence: Demonstrating mature risk practices and continuous authorization enhances trust with regulators, customers and partners—helping organizations demonstrate security as a competitive advantage.

Challenges with NIST 800-37 RMF

Resource constraints: Fully implementing the RMF demands ongoing investment in people, tools and processes. Many organizations underestimate how much effort continuous monitoring, assessment and documentation really require.

Cultural resistance: Business stakeholders sometimes view security tasks and controls as barriers to speed or productivity. Overcoming this requires showing how structured risk management actually supports mission objectives by reducing uncertainty and enabling better decisions.

Documentation overload: Teams accustomed to ad-hoc or informal security practices often struggle with the level of rigor required by NIST 800-37. The framework demands ongoing, detailed documentation of controls, status and authorizations and consistency is key.

Integration challenges: Organizations with established risk or compliance practices may find it difficult to reconcile existing processes with RMF requirements. Proper alignment often requires crosswalking frameworks and modifying existing governance workflows.

Skills gaps: The RMF requires advanced expertise in areas like risk assessment, security architecture and control evaluation. Without trained personnel or external support, execution becomes inconsistent or incomplete.

How GRC Tools Can Help

Modern risk management demands both speed and accuracy. That’s where automation plays a crucial role. Wherever possible, the NIST 800-37 document encourages organizations to automate steps in the RMF to boost efficiency, improve control accuracy and strengthen decision-making.

Automation can significantly streamline key RMF activities, such as control assessments, continuous monitoring and the preparation of authorization packages. When these processes flow through an automated system, senior leaders are able to make informed, risk-based decisions in real-time or close to it, rather than waiting for manual reports or periodic updates.

With a modern GRC solution like Isora GRC, organizations gain capabilities such as:

Centralized Control Catalogs & Tailoring

GRC platforms come with preloaded frameworks like NIST SP 800-53, NIST CSF and others. They allow organizations to tailor baselines, apply overlays and map controls to organizational policies and system-specific needs. This makes it easier to align control selection (RMF Step 2: Select) with the exact risk profile of each system.

Automated Risk Assessments

Instead of manual spreadsheets, GRC tools enable automated security and privacy risk assessments. They standardize workflows to capture threats, vulnerabilities, likelihoods and impacts, including FIPS 199 categorization inputs. They can support initial assessment (Prepare and Categorize steps) and continuous risk scoring (Monitor step).

Control Implementation Tracking

A GRC platform provides real-time visibility into which controls are implemented, partially implemented, or not implemented. Supports assigning controls to owners, tracking evidence and using Plan of Action & Milestones (POA&M) workflows for deficiencies. For hybrid and inherited common controls, GRC platforms can show what’s in place at the enterprise level vs. the system level.

System Security Plans (SSPs) & Authorization Packages

GRC platforms can automatically generate SSPs, Security Assessment Reports (SARs), Privacy Plans and other documentation needed for RMF Steps 4–6 (Implement, Assess and Authorize). These exports follow standard formats used by evaluators and Authorizing Officials.

Workflow Automation & Role-Based Collaboration

NIST 800-37 RMF requires clear roles: CISO, Authorizing Official, System Owner, Privacy Officer, etc. GRC tools manage tasks, approvals and workflows dynamically with reminders and evidence submission. Everyone sees their responsibilities and deadlines and progress is tracked centrally.

Continuous Monitoring & Real-Time Dashboards

The RMF emphasizes ongoing monitoring. GRC platforms automate continuous control monitoring using integration with security tools (vulnerability scanners, SIEM, IAM logs), scheduled control reviews and automated evidence collection.

Risk dashboards also help senior leaders make timely, risk-based decisions, aligning with RMF Step 7: Monitor.

Compliance Mapping & Crosswalks

Many GRC tools map NIST controls to other frameworks (e.g., ISO 27001, HIPAA, CMMC). This reduces duplication for organizations with multiple regulatory requirements and makes it easy to maintain a single source of truth.

Audit Trails and Evidence Management

Every step in the RMF requires documentation and traceability. GRC platforms store artifacts, generate timestamped logs and support audit readiness.

Isora GRC for NIST 800-37

Isora GRC helps organizations implement NIST SP 800-37 by providing security teams with a collaborative GRC Assessment Platform™ that operationalizes the RMF through structured assessments, connected inventories and a live risk register. This eliminates the friction of spreadsheets and legacy GRC tools and ensures that every RMF step follows a clear, guided workflow.

Assessment Management

Enables organizations to run structured RMF assessments across systems, units and vendors in one centralized workspace. Teams can manage assessment cycles, track completion, publish risks directly from findings and maintain a consistent, repeatable process aligned to RMF Steps 3 and 4 (Assess and Monitor).

Questionnaires & Surveys

Provides NIST-aligned, customizable questionnaires for control selection, implementation validation and evidence collection. Logic, weighted scoring and multi-contributor workflows ensure clean, accurate control evaluations during RMF Steps 2 and 3.

Reports & Scorecards

Generates audit-ready reporting for RMF authorization packages. Scorecards roll up assessment results, risks, exceptions and remediation activities into clear, exportable reports that support leadership decision-making in RMF Step 5 (Authorize).

Inventory Management

Centralizes system, vendor and asset records with metadata, ownership and data-classification attributes required for RMF Step 1 (Categorize). Every assessment, risk and exception automatically links to the relevant inventory item to preserve traceability.

Exception Management

Captures, documents and tracks deviations from implemented controls or security requirements. Each exception can be assigned, time-bound and linked to an asset or unit. This helps organizations document residual risk during control implementation and authorization activities.

Risk Management

Maintains a live RMF-aligned risk register that connects directly to assessments and exceptions. Risks are assigned to owners, prioritized using visual scoring tools and tracked through remediation activities to support continuous monitoring in RMF Step 6.

NIST 800-37 FAQs

What are the seven steps of the NIST 800-37 Risk Management Framework?

NIST 800-37 defines a structured, repeatable RMF made up of seven steps used to manage security and privacy risk across information systems.

The seven RMF steps are:

Prepare: Establish governance, roles, risk strategy and system context.
Categorize: Determine the impact levels for confidentiality, integrity and availability.
Select: Choose, tailor and document the security and privacy controls.
Implement: Put the selected controls into operation and document how they work.
Assess: Evaluate whether controls are implemented correctly and functioning as intended.
Authorize: Senior leadership makes a formal decision to accept or reject system risk.
Monitor: Continuously track changes, reassess controls and update risk documentation.

These steps create a lifecycle for ongoing risk management rather than a one-time compliance exercise.

How do organizations categorize information systems under NIST 800-37?

System categorization in NIST 800-37 determines the potential impact of losing confidentiality, integrity, or availability. This categorization defines how much security is required.

Most organizations categorize systems by:

Identifying information types processed, stored or transmitted.
Determining the impact levels (low, moderate, or high) using FIPS 199 or CNSSI 1253.
Documenting the categorization in the System Security Plan (SSP).
Submitting the categorization to the Authorizing Official (AO) for review and approval.

This step drives control selection, risk prioritization and resource allocation across the RMF.

What is the relationship between NIST 800-37 and NIST 800-53 control baselines?

NIST 800-37 provides the process for managing risk, while NIST 800-53 provides the controls used to protect systems.

NIST 800-37 tells you how to choose, implement, assess, authorize and monitor controls.
NIST 800-53 provides the catalog of security and privacy controls used in Step 3 (Select).
The organization chooses a control baseline (Low, Moderate, High) from NIST 800-53B, then tailors it using mission needs, threats and risk tolerance.

Together, they ensure that security controls are selected and applied in a consistent, risk-based way.

What changes were introduced in NIST 800-37 Revision 2?

Revision 2 modernized the RMF by expanding its scope, strengthening governance and integrating privacy throughout the framework.

Key updates include:

A new Prepare step, emphasizing enterprise readiness before control selection.
Formal integration of privacy, making privacy a co-equal pillar with security.
Alignment with the NIST Cybersecurity Framework (CSF).
Stronger system engineering linkage through connections to NIST SP 800-160.
Inclusion of Supply Chain Risk Management (SCRM) as a required component.
Support for organization-defined control selection, not only baselines.
Greater emphasis on continuous monitoring and real-time risk awareness.

These updates make the RMF more flexible, governance-driven and aligned with modern cloud and DevOps environments.

How does NIST 800-37 integrate with the NIST Cybersecurity Framework (CSF)?

NIST 800-37 and the NIST CSF are designed to work together.

The NIST CSF defines desired cybersecurity outcomes (Identify, Protect, Detect, Respond, Recover).
NIST 800-37 provides the step-by-step process to achieve those outcomes across a system’s lifecycle.
Organizations can use CSF Profiles during RMF Steps 1 and 3 to tailor control selection and align with business goals.
Continuous monitoring results from the RMF feed directly into CSF reporting and governance conversations.

How does continuous monitoring work in NIST 800-37?

Continuous monitoring is the seventh step of the RMF and ensures that controls remain effective as systems and threats change by:

Tracking system changes that may introduce new risks.
Performing ongoing control assessments based on a defined monitoring strategy.
Updating the POA&M as new issues or vulnerabilities emerge.
Maintaining accurate, current risk and authorization documentation.
Producing regular security and privacy posture reports for leadership.

The goal is near real-time visibility, enabling organizations to maintain ongoing authorization without restarting the full RMF cycle.

How does NIST 800-37 address supply chain risk management (SCRM)?

NIST 800-37 Revision 2 embeds Supply Chain Risk Management across multiple RMF activities. It requires organizations to:

Integrate SCRM into the risk management strategy, including policies and roles.
Assess supply chain threats and vulnerabilities during the Prepare and Categorize steps.
Select and tailor controls that address counterfeit components, tampering, malicious code and vendor weaknesses.
Evaluate supply chain dependencies during risk assessments.
Monitor vendors and external service providers as part of continuous monitoring.

SCRM is treated as a foundational component, not an optional add-on.

How does NIST 800-37 support agile or iterative system development approaches?

The RMF is intentionally designed to work in iterative, fast-moving environments. NIST 800-37 supports agile by:

Allowing non-linear execution of tasks where needed.
Encouraging incremental control implementation and assessment during development.
Supporting frequent re-evaluation of controls and risks as software and architecture change.
Using ongoing authorization instead of reset-and-restart authorization cycles.
Leveraging DevOps artifacts as evidence, reducing documentation burden.

This flexibility ensures that the RMF aligns with modern engineering practices without slowing development teams down.

What is the role of risk assessments in the NIST 800-37 Prepare step?

Risk assessments in the Prepare step establish enterprise and system-level readiness before selecting controls. Their role includes:

Identifying threats, vulnerabilities and mission impacts early.
Informing the risk management strategy, risk tolerance and prioritization.
Identifying common controls, system boundaries and supply chain considerations.
Supporting baseline tailoring by identifying which controls need strengthening.
Creating enterprise and system-level risk profiles used throughout the RMF.

In short, early risk assessments set the foundation for consistent, efficient RMF execution.

How does NIST 800-37 align with frameworks like ISO 27001, HIPAA, or SOC 2?

NIST 800-37 can integrate with many regulatory frameworks because it uses a flexible, control-based risk management approach. Alignment happens through:

Control mapping. Requirements from ISO 27001, HIPAA, or SOC 2 can be mapped to NIST 800-53 controls.
Shared processes. Most frameworks require risk assessments, documentation, monitoring and continuous improvement, which align naturally with the RMF’s seven steps.
Overlays and crosswalks. Organizations can use overlays to tailor the RMF based on industry-specific compliance needs.
Unified control selection. The RMF’s tailored baseline approach allows multiple compliance requirements to be addressed in a single control set.

This makes the RMF a strong foundation for managing multiple regulatory obligations.

What common challenges do organizations face when implementing NIST 800-37?

Organizations often encounter obstacles when adopting the RMF, especially for the first time.

Common challenges include:

Heavy reliance on manual processes like spreadsheets and email.
Difficulty aligning stakeholders across security, privacy, engineering and leadership.
Unclear system boundaries, slowing categorization and control selection.
Incomplete or inconsistent documentation across the SDLC.
Limited staff capacity to perform ongoing assessments and monitoring.
Complexity in tailoring and allocating controls, especially in hybrid IT environments.
Siloed risk data that makes continuous monitoring difficult.

Tools like Isora GRC help reduce these challenges by providing structure, collaboration and automation across assessments, inventories, risks and reporting.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.

Learn More

Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.