What is NIST SP 800-37?
NIST SP 800-37 is the official guide to the NIST Risk Management Framework (RMF) and describes how organisations apply risk management throughout the entire lifecycle of information systems.
The document operationalises the RMF for use in both IT and OT environments and is a key element of FISMA Compliance and NIST CSF alignment.
🧠 What does NIST SP 800-37 cover?
This special publication defines the steps, roles, inputs and outputs within the RMF, and provides guidance on:
- Integrating risk management into system development and operations
- Making informed decisions on whether to authorise systems
- Applying security controls from NIST SP 800-53
- Continuous monitoring and risk reduction in line with the PDCA cycle
🔁 The 7 steps of the RMF according to SP 800-37
| Step | Description |
|---|---|
| 1. Prepare | Prepare organisation and system: policies, risk appetite, roles |
| 2. Categorize | Classify systems based on impact on CIA (Confidentiality, Integrity, Availability) |
| 3. Select | Select security measures from NIST SP 800-53 appropriate to the risk level |
| 4. Implement | Implement the controls technically and organisationally |
| 5. Assess | Evaluate the effectiveness of the security measures |
| 6. Authorize | Grant or deny approval for system use, based on risk acceptance |
| 7. Monitor | Continuous oversight of status, incidents, changes and risks |
Each step has defined inputs, outputs and responsible parties (e.g. System Owner, Authorizing Official, Security Control Assessor).
🏭 Application in OT environments
| RMF step | Example in an OT context |
|---|---|
| Prepare | Define roles for PLC administrators, ISO, integrators |
| Categorize | Classification of SCADA, Historian and HMI by impact |
| Select | Select Firewall, Access Control, MFA, Monitoring |
| Implement | Configure a Jump Server with logging and RBAC |
| Assess | Conduct a security audit of Remote Access |
| Authorize | The OT manager provides written approval for activating the system |
| Monitor | Continuous use of SIEM and anomaly detection in the control zone |
🔐 Linkages with other frameworks
| Standard | Relationship to SP 800-37 |
|---|---|
| NIST SP 800-53 | Provides the technical security controls |
| NIST SP 800-30 | Method for risk analysis during preparation & selection |
| NIST CSF | Higher-level framework that supports the RMF |
| IEC 62443-2-1 | Comparable CSMS approach for OT organisations |
| ISO 27001 | International alternative with a similar ISMS strategy |
✅ Benefits of NIST SP 800-37
- Full lifecycle management of system risks
- Transparency and accountability through clearly assigned roles
- Supports audits and compliance (e.g. FISMA, NIS2)
- Applicable to both traditional IT and industrial networks (OT)
📌 In summary
NIST SP 800-37 is the operational guide to the RMF and describes step by step how to apply risk management to systems. The framework helps organisations to manage their information systems responsibly, with continuous attention to security, performance and compliance.