NIST Special Publication 800-37

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems" was developed by the Joint Task Force Transformation Initiative Working Group. The first revision aimed to transform the traditional Certification and Accreditation (C&A) process into the Risk Management Framework (RMF), and the second version addressed privacy controls in a more central manner, and added a preparatory step.

The second step of the RMF is to select the appropriate subset of security controls from the control catalog in NIST Special Publication 800-53.

First
NIST Special Publication 800-37 Rev. 1 was published in February 2010 under the title "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach". This version described six steps in the RMF lifecycle. Rev. 1 was withdrawn on December 20, 2019 and superseded by SP 800-37 Rev. 2.

Second
NIST Special Publication 800-37 Rev. 2 was published in December 2019 under the title "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy". Among other changes, this version increased the number of steps in the RMF from six to seven, by adding a new "Prepare" step as step 0.