What is NIST SP 800-37 and why does it matter?

NIST SP 800-37 Rev. 2 defines the Risk Management Framework (RMF), a seven-step lifecycle for managing security and privacy risk in information systems. It matters because FISMA requires all federal agencies to follow the RMF, FedRAMP adapts it for cloud services, and its structured approach to risk management represents the gold standard adopted by regulated industries worldwide. The current version, published in December 2018, is available at csrc.nist.gov.

What are the seven steps of the Risk Management Framework?

The seven RMF steps are: (1) Prepare, which establishes organizational context and risk strategy; (2) Categorize, which classifies the system by impact level; (3) Select, which chooses security controls from SP 800-53; (4) Implement, which deploys the selected controls; (5) Assess, which evaluates control effectiveness; (6) Authorize, which is the risk acceptance decision; and (7) Monitor, which provides ongoing assessment and risk management. The Prepare step was added in Rev. 2.

How does the RMF relate to NIST SP 800-53?

SP 800-37 is the process framework; SP 800-53 is the control catalog. The RMF (800-37) tells organizations how to select, implement, assess, and monitor controls. SP 800-53 provides the actual controls (over 1,000 across 20 families) from which organizations choose. During Step 3 (Select), the system's FIPS 199 categorization maps to a specific SP 800-53 baseline. During Step 5 (Assess), SP 800-53A provides the assessment procedures for those controls.

Who must comply with the RMF?

FISMA mandates RMF compliance for all federal agencies and their information systems. This requirement extends to federal contractors and cloud service providers through contract clauses, FedRAMP, CMMC (for defense), and other regulatory mechanisms. Non-federal organizations are not required to follow the RMF but increasingly adopt it as a best practice for managing cybersecurity risk, particularly if they handle federal data or seek federal contracts.

How long does the RMF process take?

For a new system, the full RMF lifecycle from Prepare through Authorization typically takes 6 to 18 months, depending on the system's complexity, the organization's existing security posture, and available resources. PTG's AI-powered compliance tools can compress this timeline significantly by automating documentation generation, control mapping, and gap analysis. A well-prepared organization with strong existing controls can achieve authorization in as few as 4 to 6 months with the right support.

What is the difference between the RMF and the NIST Cybersecurity Framework (CSF)?

The NIST CSF is an outcome-based, voluntary framework organized around six functions (Govern, Identify, Protect, Detect, Respond, Recover). The RMF is a process-based, mandatory (for federal systems) framework organized around seven sequential steps. The CSF describes "what" security outcomes to achieve; the RMF describes "how" to systematically achieve them. SP 800-37 Rev. 2 includes a mapping between RMF activities and CSF functions, and organizations can use both frameworks together.

Can small businesses use the RMF?

Yes. While the RMF was designed for federal agencies, its structured approach scales to organizations of any size. Small businesses that handle federal data (as contractors, subcontractors, or cloud providers) often must implement elements of the RMF. PTG specializes in making the RMF accessible to SMBs by providing the expertise, tools, and AI-powered automation that reduce the resource burden. PTG's compliance service packages are specifically designed for organizations that need enterprise-grade risk management without enterprise-sized budgets.

How does AI affect the RMF process?

AI affects the RMF in two ways. First, AI tools accelerate traditional RMF activities: automated control mapping, intelligent gap analysis, AI-assisted documentation, and continuous monitoring powered by machine learning. Second, AI systems themselves are information systems that require RMF governance. The NIST AI Risk Management Framework (AI RMF) provides complementary guidance for AI-specific risks such as bias, transparency, and robustness. PTG combines both perspectives through its integrated AI and cybersecurity practice.

What happens after an ATO is granted?

The ATO is not the finish line; it is the beginning of continuous monitoring (Step 7). Organizations must conduct ongoing control assessments, monitor for system changes and new threats, update the SSP and POA&M, report risk posture to the AO, and maintain readiness for reauthorization. Organizations that treat the ATO as a one-time event inevitably fall out of compliance and face reauthorization challenges. PTG's continuous monitoring service ensures that your security posture remains current between authorization cycles.

NIST SP 800-37

Risk Management Framework (RMF)

NIST SP 800-37 Rev. 2 defines the seven-step lifecycle for categorizing systems, selecting controls, and achieving Authorization to Operate. PTG uses AI-powered automation to compress the RMF timeline from 12-18 months to a fraction of that.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience

Start Your RMF Implementation Call 919-601-1601

The Lifecycle

Seven Steps to Authorization

The RMF is the connective tissue between dozens of NIST publications. It is the process for managing security and privacy risk throughout the system lifecycle.

Prepare

Categorize

Select Controls

Implement

Assess

Authorize

NIST Ecosystem

How the RMF Connects NIST Publications

SP 800-53 Controls

The master catalog of 1,000+ security and privacy controls selected during RMF Step 3.

Learn more

SP 800-53B Baselines

Defines Low, Moderate, and High control baselines that determine your starting control set.

Learn more

SP 800-30 Risk Assessment

The methodology used during categorization and throughout the RMF lifecycle.

Learn more

SP 800-137 Continuous Monitoring

Guides the ongoing Step 7 Monitor activities that maintain your authorization.

Learn more

SP 800-161 Supply Chain

Rev. 2 integrates supply chain risk management into every RMF step.

Learn more

NIST CSF 2.0

RMF activities map to CSF functions, connecting process-based and outcome-based approaches.

Learn more

Rev. 2 Changes

What Changed in Revision 2

New Prepare Step

Establishes organizational context and risk tolerance before categorization begins.

Privacy Integration

Privacy risk management integrated throughout all seven steps alongside security.

Supply Chain Risk

C-SCRM explicitly incorporated into the RMF lifecycle at every step.

Expanded Authorizations

Joint and leveraged authorizations allow reusing assessment results across systems.

Who This Is For

Built For

Federal Agencies (FISMA) Defense Contractors (CMMC) Cloud Providers (FedRAMP) Healthcare (HIPAA) Any Organization Using NIST Controls

FAQ

Frequently Asked Questions

What is an Authorization to Operate (ATO)?

An ATO is the formal decision by an Authorizing Official that a system's security risk is acceptable. The RMF process produces the evidence (SSP, SAR, POA&M) needed for this decision.

How long does the RMF process typically take?

Traditional RMF implementations take 12-18 months. PTG's AI-powered compliance platform compresses SSP drafting, control mapping, and gap analysis to reduce overall timelines significantly.

Do private-sector organizations need the RMF?

Any organization pursuing CMMC, FedRAMP, or NIST 800-171 compliance benefits from the RMF's structured approach. It provides the disciplined process that auditors and assessors expect.

What documents does the RMF produce?

Key artifacts include the System Security Plan (SSP), Security Assessment Report (SAR), Plan of Action and Milestones (POA&M), and Authorization Package. PTG's AI tools reduce SSP drafting time by 50-60%.

Get Started

Ready to Navigate the RMF?

PTG accelerates every step of the Risk Management Framework with AI-powered automation and 23+ years of expertise.

Schedule a Consultation Call 919-601-1601