Luv Johar

GRC Mentor

WhatsApp at
+91 971 860 3114

Mastering NIST
RMF 800-37
Complete Guide to the 7-Step
Risk Management Framework
with Real-World Examples
NIST Special Publication 800-37 Revision 2 (SP 800-37 Rev.
2), titled “Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach
for Security and Privacy,” is a comprehensive guide
developed by the National Institute of Standards and
Technology (NIST). It outlines a structured process for
managing cybersecurity and privacy risks across federal
information systems and organizations. This framework is
pivotal for organizations aiming to integrate security and
privacy considerations throughout the system
development life cycle (SDLC).
 Luv Johar | GRC Mentor

Overview of NIST SP
800-37 Rev. 2

Published in December 2018, SP 800-37 Rev. 2 introduces

significant enhancements over its predecessor, including

Integration of Privacy Alignment with the

Risk Management NIST Cybersecurity
Incorporates privacy Framework (CSF)
considerations alongside Facilitates the implementation
security, ensuring a holistic of the CSF within the Risk
approach to risk management Management Framework
(RMF), promoting consistency
across security practices

MASTERING NIST RMF 800-37

Luv Johar | GRC Mentor

Emphasis on Supply
Chain Risk
Management (SCRM)
Addresses risks associated
with external suppliers and
service providers,
acknowledging the
complexities of modern
supply chains

Introduction of the
"Prepare" Step
Adds a preparatory phase
to enhance organizational
readiness for executing the
RMF effectively These
updates aim to improve
communication between
organizational leadership
and operational staff,
promote cost-effective risk
management, and ensure
that security and privacy
are integral to all stages of
system development and
operation

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

The Seven Steps of the Risk

Management Framework (RMF)

01
Prepare
Establishes organisational context, risk
management roles, and strategies to
ensure readiness for executing the RM.

02
Categorise
Determines the impact level of information
systems based on confidentiality, integrity,
and availability, guiding the selection of
appropriate security control.

03
Select
Deploys the selected controls within the
system, ensuring they are integrated into
the operational environmen.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

04
Implement
Deploys the selected controls within the
system, ensuring they are integrated into
the operational environmen.

05
Assess
Evaluates the effectiveness of the implemented
controls, verifying that they function as intended
and meet security and privacy requirement.

06
Authorise
A senior official reviews the assessment results to
determine if the risk levels are acceptable,
granting or denying authorization to operat.

07
Select
Continuously observes the system and its
environment to detect changes, assess control
effectiveness, and respond to emerging risk. This
cyclical process ensures that risk management is
an ongoing activity, adapting to changes in the
system and its operational contex.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

Key Enhancements
in Revision

*Integration **Supply Chain Risk

with NIST CSF Management (SCRM)*
Aligns the RMF with the NIST Emphasizes the importance of
Cybersecurity Framework, assessing and managing risks
enabling organizations to apply associated with external
a unified approach to managing suppliers and service provides.
cybersecurity riss.

*Privacy Risk Management *Preparation Activities

Incorporates privacy The new "Prepare" step focuses on
considerations into each step of establishing a strong foundation
the RMF, ensuring that privacy for risk management by defining
risks are identified and addressed roles, responsibilities, and risk
alongside security riss. management strategis.

These enhancements aim to provide a more comprehensive

and flexible framework that addresses the evolving
landscape of cybersecurity and privacy riss.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

Applicability and Compliance

While SP 800-37 Rev. 2 is primarily designed for U.S. federal agencies, its
principles are applicable to any organization seeking to manage information
system risks effectivl. Compliance with the RMF is mandatory for federal
agencies under the Federal Information Security Modernization Act (FISMA)
and is often required for contractors and partners handling federal dt.
Organizations outside the federal sphere can adopt the RMF to enhance their
cybersecurity posture and align with best practies.

If you require further assistance or have specific

questions about implementing the RMF in your
organization, feel free to ask!

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

BONUS
Sure! Let’s dive deeper into the Seven Steps of the NIST Risk
Management Framework (RMF) from NIST SP 800-37 Rev. 2. For each
step, I’ll give a detailed explanation and practical examples to help clarify
how it works in real-world scenarios.
 Luv Johar | GRC Mentor

01 Prepare

Goal
Establish the organization’s
context, governance, and
readiness for managing security
and privacy risks.

Key Activities
Define risk tolerance and
acceptable risk levels.
Identify key stakeholders
(e.g., authorizing officials, Example
system owners).
A federal agency is planning a new
Conduct enterprise risk online tax filing system. Before
assessments and business anything is built, the CIO’s office
impact analysis. establishes who will be responsible
for system security, sets the
Establish policies, acceptable risk level (e.g., “no
procedures, and critical PII data can be exposed”),
frameworks for ongoing and creates a formal risk
risk management. governance strategy.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

02 Categorise

Example
Goal The tax filing system handles
Determine the impact level of sensitive personal and
the information system in terms financial data. The agency
of confidentiality, integrity, and categorizes it as:
availability (CIA triad).
Confidentiality: High
(exposure could cause
serious harm)

Integrity: High (incorrect data

could lead to erroneous tax
assessments)
Key Activities
Availability: Moderate
Categorize information
(some tolerance for
types using FIPS 199 and
downtime)
NIST SP 800-60.

Document categorization This categorisation helps guide

results in the system which security controls must
security plan (SSP). be implemented.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

03 Select

Example
Goal Based on the “High” impact
Choose appropriate categorization, the agency
baseline security and selects controls such as:
privacy controls based
on system Multi-factor
categorization. authentication (IA-2)
Encryption for data at rest
Key Activities and in transit (SC-12, SC-13)
Continuous monitoring (CA-7)
Select baseline controls
from NIST SP 800-53.
They might also tailor controls
Tailor the controls based
— e.g., requiring biometric
on the organisation’s
authentication only during
environment.
high-risk transactions.
Document controls
in the SSP.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

04 Implement

Document how each

Goal control is implemented.
Deploy and configure
selected controls and
integrate them into the
information system.
Example
Key Activities Developers implement secure
coding practices and integrate
Implement technical encryption libraries. System
and procedural administrators configure
security/privacy controls. firewalls, access control lists,
and install antivirus. The project
Ensure controls are team documents the use of TLS
operating as intended. 1.3 for all data transmission.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

06 Authorise

Goal
Make a risk-based decision Example
to approve or deny system The Authorising Official (AO)
operation. reviews all documentation. Most
controls are working, but there’s
a medium-risk vulnerability in
third-party software. The AO
Key Activities accepts the residual risk (with a
POA&M to fix it within 60 days)
Review the SAR, SSP, and and issues an ATO.
Plan of Action and
Milestones (POA&M).

Determine if the risk is

acceptable.

Issue an Authorisation to
Operate (ATO), Denial, or
Interim Authorization.

MASTERING NIST RMF 800-37

 Luv Johar | GRC Mentor

Putting It All
Together (Flow)

Prepare Know your environment and risks

Categorise Know your data and what’s at stake.

Select Choose controls that protect your system.

Implement Put the controls into action.

Assess Test if the controls actually work.

Authorise Decide if the system is safe to run.

Monitor Keep watching and improving.

MASTERING NIST RMF 800-37

Learn
to Lead

Luv Johar | GRC Mentor

Need help Message at

Implementing
NIST RMF 800-37? +91 971 860 3114