NIST 800-37 compliance: a checklist

NIST 800-37, titled "Risk Management Framework for Information Systems and Organizations," provides a comprehensive methodology for managing cybersecurity risk throughout an organization's information systems lifecycle. The framework establishes a disciplined and structured process that integrates security and risk management activities into the system development life cycle. It serves as a bridge between business objectives and security requirements, ensuring that security considerations are embedded from the initial design phase through system disposal.

The RMF consists of seven key steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. These steps create a continuous cycle where organizations first prepare their risk management strategy, categorize their information systems based on impact levels, select appropriate security controls, implement those controls, assess their effectiveness, obtain authorization to operate, and continuously monitor the security posture. Each step includes specific tasks, roles, and responsibilities that guide organizations through the risk management process.

The framework emphasizes continuous monitoring and ongoing risk assessment rather than point-in-time compliance checking. It promotes a risk-based approach that allows organizations to make informed decisions about security investments and risk acceptance based on their specific threat environment and business requirements. NIST 800-37 has become widely adopted across federal agencies and private sector organizations as a standard approach to cybersecurity risk management, providing consistency and interoperability in security practices.

NIST 800-37 compliance steps

NIST 800-37 compliance follows a structured seven-step Risk Management Framework (RMF) that organizations must execute systematically. The Prepare phase establishes organizational context and priorities, while Categorize involves analyzing systems and data to determine their criticality based on potential impact. These foundational steps ensure organizations understand their environment and what needs protection before moving forward with security controls.

The implementation phase encompasses Select, Implement, and Assess steps where organizations choose appropriate security controls, deploy them within their systems, and verify their effectiveness. The Select step involves choosing baseline controls and tailoring them based on risk assessments and organizational needs. Implement requires proper deployment and documentation of controls, while Assess validates that controls function correctly and meet security objectives.

The Authorize step represents the formal decision point where leadership accepts residual risk and grants permission to operate based on comprehensive security assessments. This authorization is not a one-time event but an ongoing responsibility that requires regular review. The final Monitor step establishes continuous oversight of system security posture, including regular assessments, change management, and reporting to maintain authorization.

Throughout all phases, organizations must maintain detailed documentation, conduct regular risk assessments, and ensure alignment with NIST 800-53 control catalog requirements. The framework emphasizes integration with system development lifecycles, supply chain risk management, and privacy considerations. Success requires dedicated resources, executive support, and often third-party access to navigate the complex requirements effectively.

NIST 800-37 Compliance Checklist:

• Establish organizational risk management strategy and governance structure - Example: Create a Risk Executive Function (REF) with designated Chief Risk Officer, define risk tolerance levels for different system types (e.g., low impact for training systems, high impact for financial systems), and establish policies for continuous monitoring frequency.

• Complete system categorization using FIPS 199 impact levels - Example: Categorize an email system as MODERATE for confidentiality (sensitive business communications), LOW for integrity (temporary disruption acceptable), and MODERATE for availability (business operations depend on email access).

• Select and document security controls from NIST 800-53 baseline - Example: For a MODERATE system, implement baseline controls plus tailored additions like enhanced logging (AU-3(1)) for financial applications, with documented rationale for any control modifications or compensating measures.

• Develop comprehensive System Security Plan (SSP) and Privacy Plan - Example: Create a 200+ page SSP documenting how each control is implemented, including network diagrams, data flow charts, roles and responsibilities matrix, and privacy impact assessments for personally identifiable information processing.

• Conduct independent security control assessments - Example: Hire certified third-party assessors to test firewall configurations, interview system administrators, review access logs, and validate that implemented controls match SSP documentation, resulting in a detailed Security Assessment Report (SAR).

• Obtain formal Authorization to Operate (ATO) from designated official - Example: Present risk assessment results to the Authorizing Official showing 15 low-risk findings and 3 moderate-risk findings with approved mitigation plans, receiving a signed ATO memo valid for 3 years with specific conditions.

• Implement continuous monitoring program with automated tools - Example: Deploy vulnerability scanning tools that run weekly, configure SIEM systems to monitor security events in real-time, establish monthly metrics reporting to leadership, and maintain a Plan of Actions and Milestones (POA&M) tracking system for remediation efforts.

Common challenges

Organizations implementing NIST 800-37 frequently struggle with the complexity and scope of the framework's requirements, particularly when transitioning from legacy systems and processes. The comprehensive nature of the Risk Management Framework, with its seven distinct phases and integration of both security and privacy considerations, can overwhelm teams that lack dedicated risk management expertise. Many organizations underestimate the resource commitment required to properly execute each phase, from initial preparation through continuous monitoring.

The technical implementation of security controls presents another significant challenge, especially for organizations with diverse technology environments spanning cloud, on-premises, and hybrid infrastructures. Selecting and tailoring the appropriate controls from NIST 800-53's catalog of over 1,000 options requires deep technical knowledge and careful consideration of organizational risk tolerance. Organizations often struggle to balance the need for comprehensive security coverage with practical operational constraints and budget limitations.

Maintaining continuous compliance poses ongoing difficulties as organizations must establish sustainable processes for monitoring, assessment, and documentation. The framework's emphasis on real-time risk management and continuous authorization requires significant automation and integration capabilities that many organizations lack. Without proper tooling and established workflows, organizations find themselves overwhelmed by the administrative burden of maintaining current risk assessments, control effectiveness evaluations, and authorization documentation across multiple systems and environments.

Simplifying NIST 800-37 Risk Management Framework (RMF) controls with an enterprise browser

Users access a growing number of tools through the browser, requiring RMF controls to ensure a reduction of risk. With the Island Enterprise Browser, the browser becomes a control point, giving better visibility, risk reduction, and compliance to RMF designers in the organization. By using Island, the RMF benefits by requiring fewer controls and solutions, and lower cost to ensure reduced risk for users accessing web, cloud, SaaS, RDP, and SSH.

Frequently asked questions (FAQ)

Q: What are the seven steps of NIST 800-37's Risk Management Framework?

A: The seven steps are: Prepare (establish organizational risk management strategy), Categorize (analyze systems using FIPS 199 impact levels), Select (choose appropriate security controls from NIST 800-53), Implement (deploy and document controls), Assess (verify control effectiveness), Authorize (obtain formal permission to operate), and Monitor (establish continuous oversight of security posture).

Q: How long does an Authorization to Operate (ATO) typically last?

A: An ATO is typically valid for 3 years, but this is not a set-it-and-forget-it authorization. Organizations must maintain continuous monitoring programs throughout this period and can have their authorization revoked if significant security issues arise or if they fail to maintain compliance with the agreed-upon security controls.

Q: What is the difference between NIST 800-37 and NIST 800-53?

A: NIST 800-37 provides the Risk Management Framework process and methodology for managing cybersecurity risk, while NIST 800-53 contains the actual catalog of over 1,000 security controls that organizations select from during the RMF process. Think of 800-37 as the "how" and 800-53 as the "what" of cybersecurity risk management.

Q: What are the biggest challenges organizations face when implementing NIST 800-37?

A: The most common challenges include underestimating the resource commitment required, struggling with the complexity of selecting and tailoring appropriate security controls from the extensive NIST 800-53 catalog, managing diverse technology environments (cloud, on-premises, hybrid), and maintaining continuous compliance through ongoing monitoring and documentation requirements.

Q: Do private sector organizations need to comply with NIST 800-37?

A: NIST 800-37 is not legally required for private sector organizations, but it has become widely adopted as a cybersecurity best practice. Many private companies implement the framework voluntarily to improve their security posture, demonstrate due diligence to stakeholders, meet customer requirements, or prepare for potential regulatory compliance in their industry.