Is your company required to comply with the NIST framework because of a federal contract or subcontract? Or, on the other hand, are you interested in using a proven method of security planning and risk management for your corporation of your own accord? Either way, check out this brief explanation of what the NIST 800-37 is, how it can be an important part of your risk management strategy, and how you can get professional help preparing your organization’s security needs and setting up privacy risk management processes with RiskRecon by Mastercard.

What is NIST 800-37?

If your organization handles sensitive, confidential, or private information in a digital sphere, you must ensure it is handled safely and securely. Security frameworks are a crucial part of this kind of protection, and that’s where the NIST 800-37 RMF (Risk Management Framework) comes in: it is a compliance framework designed to help organizations appropriately protect the security and privacy vulnerabilities of their information systems.

What is the Purpose of the NIST 800 Documents?

NIST 800 documents are created as a “risk management framework” to help organizations improve their cybersecurity in a standardized way. Developed by the National Institute of Standards in Technology, NIST 800 outlines what federal and other organizations need to do in order to keep their cybersecurity up to date. Sometimes known as a NIST special publication or NIST SP, NIST 800 is part of a series of information security publications by the NIST. In this case, NIST 800 is focused on providing computer and information security guidelines. The current NIST SP is NIST 800-37. Rather than outlining specific programs or tools that organizations must use, NIST 800 attempts to provide guidelines that can be adapted to the current needs of an organization, with an easy path for upgrading or improving security controls as new approaches are discovered. 

Who Does NIST 800-37 Apply to?

While the NIST cybersecurity framework can be adopted by any organization that wishes to improve its cybersecurity, compliance with the requirements outlined in NIST 800-37 is required for any contractor or subcontractor working with information from the United States federal government. The NIST RMF is a government risk and compliance evaluation to ensure that this data is handled appropriately. Any federal information system is required to have this kind of information security, as are federal agencies and federal networks.

What are the Steps of NIST 800-37?

The second revision of the NIST 800-37 has seven steps for an organization to follow in order to evaluate and prepare for potential security risks. While it is possible to undertake this approach independently, you can also get professional assistance as you work to make your corporation NIST-compliant.

Let’s look at each of these steps in a little bit more detail:


The “prepare” step involves looking at what your organization must do at all levels to address potential risk management needs. As part of this risk assessment, you might need to check in with various parts of a business process, for example, and make sure that you know what security and privacy issues they could potentially face–or have already faced.


This step asks you to categorize your system characteristics and how information is stored, processed, and transmitted. This categorization should be based on an impact analysis examining the potential impact of security or privacy breaches in various areas. 


In this step, you will choose the necessary controls to help you address your organization’s security needs and any systems you use for sensitive data manipulation. Each cybersecurity framework control can be set up in a variety of ways and from a variety of sources, but the most important thing is that they are tailored to your system’s needs to ameliorate risk.


In this step, the selected controls are implemented, and documentation is created to monitor the deployment of your NIST risk management framework.


The “assess” step will require you to develop assessment plans to check on the controls for your security and privacy systems and ensure that they operate as required to meet your organization’s needs. In this phase, you will likely need to plan how to address any inadequacies noted in the initial implementation and make plans for future action or milestones that you will need to reach in furthering your cybersecurity and privacy goals. 


This step requires that you receive authorization from a senior official. This official will examine an executive summary explaining your actions in implementing the RMF thus far, your system security and privacy plan(s), assessment reports, and any plans of action or milestone plans you have. They will either approve or deny your compliance by determining if systems and common controls can be operated with acceptable risk. 


Continuous monitoring is one of the best practices for risk management. This final step will follow a successful authorization. At this point, your job is to continue monitoring and keeping aware of your system’s security and privacy standing and use this information to make future decisions related to risk management for your organization. 

By following all these steps and receiving authorization, your corporation can be NIST-compliant. 

What are the Recent Changes Made to NIST 800-37?

The NIST 800-37 update (second revision) added a new first step, “Prepare,” to the six in earlier versions. This new step emphasizes the importance of appreciating the scope of your undertaking before beginning it and assessing what your organization will need to do and if you need help doing it.

How Can RiskRecon Help? 

NIST risk management can help your organization, but it can also be difficult to implement, especially in the early stages. With RiskRecon, you can get help assessing your organization’s security “health” and seeing what might need improvement. Check out RiskRecon today for a 30-day trial to see how they can help you map out and plan to address your organization’s security needs.