NIST SP 800-37: The Definitive Guide to the Risk Management Framework (RMF)

Last Reviewed: March 2026

NIST Special Publication 800-37 Revision 2, titled "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," is the United States government's authoritative process framework for managing security and privacy risk in information systems. Published by the National Institute of Standards and Technology (NIST) in December 2018, SP 800-37 Rev. 2 defines a structured, repeatable seven-step lifecycle that federal agencies and contractors use to categorize systems, select and implement security controls, assess their effectiveness, authorize system operation, and continuously monitor risk posture. The Risk Management Framework (RMF) is not a set of security controls itself; rather, it is the process that organizations follow to select, implement, and manage controls from the master catalog defined in NIST SP 800-53 Rev. 5. The Federal Information Security Modernization Act (FISMA) mandates that all federal agencies apply the RMF to every information system they operate. Beyond federal agencies, defense contractors subject to CMMC and NIST SP 800-171, cloud service providers pursuing FedRAMP authorization, and private-sector organizations seeking a disciplined approach to cybersecurity risk management all benefit from adopting the RMF. Petronella Technology Group (PTG) uses its proprietary AI-powered compliance platform to accelerate every step of the RMF process, compressing what traditionally takes 12 to 18 months into a fraction of that timeline.

Why the Risk Management Framework Matters

Every organization that processes, stores, or transmits federal data must demonstrate that it manages security and privacy risk through a structured, auditable process. The RMF provides that process. Without it, agencies cannot issue an Authorization to Operate (ATO), cloud providers cannot achieve FedRAMP authorization, and defense contractors cannot satisfy DFARS 252.204-7012 requirements. The RMF also serves as the connective tissue between dozens of NIST publications: it references SP 800-53 for controls, SP 800-30 for risk assessments, SP 800-53A for assessment procedures, and SP 800-137 for continuous monitoring guidance. Understanding the RMF means understanding how the entire NIST security ecosystem fits together.

For small and mid-size businesses, the RMF can appear daunting. The seven-step process involves dozens of artifacts, multiple organizational roles, and ongoing monitoring obligations. PTG specializes in making this enterprise-grade framework accessible to SMBs. Craig Petronella, a CMMC Registered Practitioner with 23+ years in cybersecurity and an MIT Artificial Intelligence Certificate, has led hundreds of organizations through the RMF lifecycle, leveraging PTG's patented technology stack and private AI fleet to automate control selection, gap analysis, and documentation generation.

What Changed in Revision 2

NIST released SP 800-37 Rev. 2 in December 2018, introducing several significant changes from the original 2010 revision. Understanding these changes is essential for organizations still operating under Rev. 1 processes.

• Added the Prepare step: Rev. 2 introduced "Prepare" as a new first step in the RMF lifecycle. This step establishes organizational context, defines risk tolerance, identifies common controls, and sets the stage for all subsequent activities. The Prepare step reduces the inefficiencies that plagued Rev. 1 implementations where organizations jumped directly into categorization without adequate planning.
• Integrated privacy risk management: Rev. 2 aligns the RMF with the NIST Privacy Framework by incorporating privacy requirements throughout all seven steps. Organizations now assess privacy risk alongside security risk, select privacy controls from SP 800-53, and designate a Senior Agency Official for Privacy (SAOP) as a key participant.
• Supply chain risk management: Rev. 2 explicitly incorporates supply chain risk management (SCRM) into the RMF lifecycle, reflecting guidance from NIST SP 800-161. Organizations must consider supply chain threats during system categorization and control selection.
• Alignment with the NIST Cybersecurity Framework: Rev. 2 maps RMF activities to the NIST Cybersecurity Framework (CSF) functions (Govern, Identify, Protect, Detect, Respond, Recover), enabling organizations that use the CSF to see how their outcome-based approach connects to the process-based RMF.
• System life cycle emphasis: The subtitle change to "A System Life Cycle Approach" signals that the RMF is not a one-time compliance activity but an ongoing process integrated into how organizations acquire, develop, operate, and retire information systems.
• Authorization options expanded: Rev. 2 introduces additional authorization approaches, including joint and leveraged authorizations, that allow organizations to reuse assessment results across systems, reducing duplicative effort.

The Seven Steps of the Risk Management Framework

The RMF consists of seven steps, each with defined tasks, inputs, outputs, and responsible roles. The process is iterative: outputs from later steps feed back into earlier steps as risk conditions change. The following sections detail each step based on the official NIST SP 800-37 Rev. 2 publication.

Step 1: Prepare

The Prepare step establishes the organizational context for managing security and privacy risk. This step occurs at two levels: the organization level and the system level.

Organization-level tasks:

• Assign key risk management roles: Risk Executive, Chief Information Officer (CIO), Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Authorizing Official (AO).
• Establish a risk management strategy that defines risk tolerance, risk assessment methodologies, and acceptable risk thresholds.
• Identify and document organization-wide common controls that can be inherited by multiple systems, reducing per-system effort.
• Develop a continuous monitoring strategy aligned with SP 800-137.
• Approve and publish the mission/business focus and system-level strategy.

System-level tasks:

• Identify stakeholders and define system boundaries, including interconnections with other systems.
• Conduct an initial risk assessment or leverage existing risk assessments from SP 800-30.
• Determine the system's life cycle phase (development, operations, disposal) and tailor the RMF activities accordingly.
• Register the system with the organization's system inventory.

Key output: A documented organizational risk management strategy, identified common controls, and a system registration that enables tracking through the remaining RMF steps.

PTG's AI-powered compliance platform automates much of the Prepare step by ingesting an organization's existing documentation, identifying gaps in role assignments and risk tolerance definitions, and generating draft risk management strategies based on the organization's industry, size, and regulatory obligations. This automation alone saves 40 to 80 hours of consultant time per engagement.

Step 2: Categorize

System categorization determines the level of protection required based on the potential impact of a loss of confidentiality, integrity, or availability. This step directly follows the methodology defined in FIPS 199 and the guidance in NIST SP 800-60 Vol. 1.

Tasks:

• Identify all information types processed, stored, or transmitted by the system using the information type catalog in SP 800-60.
• Assign provisional impact levels (Low, Moderate, or High) to each information type across the three security objectives: confidentiality, integrity, and availability.
• Determine the overall system categorization by taking the high-water mark across all information types and security objectives.
• Document the categorization decision and obtain Authorizing Official approval.

Key output: A documented system categorization (e.g., "Moderate-Moderate-Moderate" or "High-Moderate-Moderate") that drives all subsequent control selection.

The categorization step is critical because it determines the baseline set of controls from NIST SP 800-53 that the organization must implement. A Low-impact system requires approximately 131 controls, a Moderate-impact system requires approximately 325 controls, and a High-impact system requires approximately 421 controls. Miscategorization, whether too high or too low, results in wasted resources or inadequate protection.

Step 3: Select

During the Select step, the organization chooses the security and privacy controls that will protect the system based on its categorization. This step operationalizes the connection between SP 800-37 (the process) and SP 800-53 Rev. 5 (the controls).

Tasks:

• Select the initial control baseline from NIST SP 800-53B that corresponds to the system's impact level.
• Tailor the baseline by adjusting controls to account for the organization's specific risk environment, mission requirements, and threat landscape. Tailoring includes scoping, compensating controls, and organization-defined parameters.
• Identify controls that can be inherited from common control providers (other organizational systems or shared infrastructure).
• Supplement the baseline with additional controls based on the risk assessment, supply chain risk analysis, or regulatory requirements beyond the baseline.
• Document control selections and rationale in the System Security Plan (SSP).

Key output: A tailored control baseline documented in the System Security Plan, including inherited controls and their providers.

PTG's private AI fleet accelerates control selection by automatically mapping an organization's existing controls to the required baseline, identifying gaps, and recommending compensating controls where full implementation is not feasible. This process, which typically takes compliance teams weeks of spreadsheet work, is completed in hours using PTG's on-premise large language models running on custom GPU infrastructure. No other firm in the Raleigh-Durham Triangle offers this capability.

Step 4: Implement

The Implement step translates selected controls from the SSP into operational security measures within the system and its operating environment.

Tasks:

• Implement the controls as described in the SSP, including technical controls (firewalls, encryption, access control mechanisms), operational controls (incident response procedures, personnel security), and management controls (risk assessments, security planning).
• Document the implementation details, including how each control operates, its dependencies, and any deviations from the planned implementation.
• Update the SSP to reflect the actual implementation, including configuration settings, network diagrams, and data flow descriptions.

Key output: An updated SSP with complete control implementation details, serving as the authoritative record of the system's security posture.

Implementation is where many organizations stall. The gap between selecting a control on paper and deploying it in a production environment requires technical expertise across networking, identity management, encryption, logging, and physical security. PTG's team, led by Craig Petronella (Cisco CCNA, CWNE, Licensed Digital Forensic Examiner #604180), combines hands-on technical implementation with compliance documentation, ensuring that every control is both operational and properly documented for the assessment phase.

Step 5: Assess

The Assess step determines whether implemented controls are operating as intended and producing the desired security and privacy outcomes. Assessment procedures follow NIST SP 800-53A Rev. 5, which defines specific assessment methods (examine, interview, test) for every control in SP 800-53.

Tasks:

• Develop a Security Assessment Plan (SAP) that identifies the controls to be assessed, assessment methods, assessment schedule, and the assessment team.
• Conduct the assessment using independent assessors (for federal systems, this is typically a Third-Party Assessment Organization, or 3PAO). Assessment methods include examining documentation, interviewing personnel, and testing control functionality.
• Produce a Security Assessment Report (SAR) that documents assessment findings, including deficiencies and recommendations for remediation.
• Develop a Plan of Action and Milestones (POA&M) for any controls found to be deficient, documenting the planned remediation actions, responsible parties, and target completion dates.

Key output: A Security Assessment Report (SAR) and a Plan of Action and Milestones (POA&M) that together provide the Authorizing Official with a clear picture of the system's risk posture.

Step 6: Authorize

The Authorize step is the critical decision point where the Authorizing Official (AO) reviews the complete authorization package and makes a risk-based decision about whether to allow the system to operate.

Tasks:

• Assemble the authorization package: the SSP, SAR, POA&M, and any supplemental risk information.
• The AO reviews the package, evaluates the residual risk (risk remaining after controls are implemented), and determines whether that risk is acceptable given the organization's risk tolerance.
• The AO issues one of three authorization decisions:
  • Authorization to Operate (ATO): The system is approved to operate for a defined period (typically three years for federal systems, though continuous authorization models are increasingly common).
  • Interim Authorization to Operate (IATO): The system is approved to operate temporarily while specific deficiencies are remediated, typically for 90 to 180 days.
  • Denial of Authorization to Operate (DATO): The system's risk exceeds acceptable thresholds and it must not operate until deficiencies are corrected.

Key output: A formal authorization decision documented in an authorization letter, along with any conditions or restrictions on system operation.

The authorization decision is ultimately a business risk decision, not a technical one. The AO must weigh the system's mission value against its residual risk. PTG prepares organizations for this decision by ensuring that the authorization package tells a clear, compelling story: risks are identified, controls are documented, deficiencies have remediation plans, and the overall posture aligns with organizational risk tolerance. Craig Petronella, an Amazon #1 Best-Selling Author of 14+ cybersecurity books, brings the communication skills necessary to translate technical findings into executive-level risk narratives.

Step 7: Monitor

The Monitor step transitions the system from a point-in-time authorization to ongoing risk management. This step is where the RMF becomes a continuous cycle rather than a one-time compliance exercise.

Tasks:

• Implement the continuous monitoring strategy established during the Prepare step, aligned with NIST SP 800-137.
• Conduct ongoing assessments of a subset of controls at defined frequencies (monthly, quarterly, annually) to verify continued effectiveness.
• Monitor system changes (hardware, software, personnel, environment) and assess the security impact of those changes.
• Update the SSP, SAR, and POA&M as the system evolves and new risks emerge.
• Report security and privacy posture to the AO and senior leadership on a regular basis.
• Conduct periodic reauthorization or maintain ongoing authorization through continuous monitoring.

Key output: Updated authorization artifacts, ongoing risk reports, and either periodic reauthorization decisions or a continuous authorization status.

PTG's continuous monitoring service leverages its on-premise AI infrastructure (GPU clusters, private cloud, custom LLMs) to automate vulnerability scanning, configuration monitoring, log analysis, and control assessment. This approach enables near-real-time risk visibility rather than the traditional point-in-time snapshots that leave organizations blind to emerging threats between annual assessments. PTG's patented tools generate automated POA&M updates and risk reports, reducing the manual burden of continuous monitoring by up to 70%.

RMF Steps Mapped to Key NIST Publications

Each RMF step references specific NIST publications for detailed guidance. The following table maps each step to its primary supporting publications.

How RMF Integrates with NIST SP 800-53

The relationship between SP 800-37 and SP 800-53 is foundational to understanding federal cybersecurity. SP 800-37 is the process; SP 800-53 is the content. The RMF tells organizations what to do (categorize, select, implement, assess, authorize, monitor); SP 800-53 tells them what controls to apply.

Specifically, the integration occurs at three critical points:

1. Control Selection (Step 3): The system's FIPS 199 categorization from Step 2 directly maps to one of three control baselines defined in SP 800-53B (Control Baselines). A Moderate-impact system, for example, starts with the Moderate baseline of approximately 325 controls drawn from the 20 control families in SP 800-53 Rev. 5. The organization then tailors this baseline, adding or removing controls based on its specific risk profile.
2. Control Assessment (Step 5): SP 800-53A defines the assessment procedures for every control in SP 800-53. Each control has specific "examine," "interview," and "test" methods that assessors use to determine whether the control is implemented correctly, operating as intended, and producing the desired outcome.
3. Continuous Monitoring (Step 7): Ongoing assessments evaluate a rotating subset of SP 800-53 controls to verify continued compliance. When new threats emerge or the system changes, organizations may need to revisit control selection and add supplemental controls from the SP 800-53 catalog.

Without SP 800-53, the RMF would be a process with no substance. Without the RMF, SP 800-53 would be a catalog of controls with no structured method for applying them. Together, they form the backbone of federal information security.

RMF and FISMA

The Federal Information Security Modernization Act (FISMA), originally enacted in 2002 and updated in 2014, requires federal agencies to develop, document, and implement information security programs for all systems that support federal operations. FISMA does not prescribe specific controls; instead, it mandates that agencies follow the risk management framework defined by NIST. That framework is SP 800-37.

In practice, FISMA compliance means RMF compliance. Agencies must categorize every system using FIPS 199, select controls from SP 800-53, assess those controls, obtain authorization to operate, and continuously monitor. The Office of Management and Budget (OMB) oversees FISMA implementation, and inspectors general conduct annual audits to evaluate agency compliance. Agencies that fail FISMA audits face budget scrutiny, operational restrictions, and public reporting of their deficiencies.

For organizations that work with federal agencies, whether as contractors, cloud providers, or grant recipients, understanding the FISMA-RMF connection is essential. Your federal partners are required to ensure that any systems or services you provide meet RMF requirements. PTG helps organizations navigate this requirement through its compliance services, providing gap assessments, documentation support, and continuous monitoring aligned with FISMA expectations.

RMF and FedRAMP

FedRAMP applies a modified version of the RMF specifically for cloud service providers (CSPs) that serve federal agencies. The FedRAMP process follows the same seven RMF steps but adds FedRAMP-specific requirements, including mandatory use of FedRAMP baselines (which add parameters and enhancements beyond the standard SP 800-53 baselines), assessment by an accredited Third-Party Assessment Organization (3PAO), and monthly continuous monitoring deliverables.

Key differences between standard RMF and the FedRAMP adaptation include:

• Standardized baselines: FedRAMP defines its own control baselines at Low, Moderate, and High impact levels. These baselines start with the SP 800-53 baselines and add FedRAMP-specific parameter values and additional controls.
• Centralized authorization: While standard RMF authorizations are issued by individual agency AOs, FedRAMP provides a "do once, use many times" model where a single authorization can be leveraged by multiple agencies.
• Mandatory 3PAO assessment: Federal agencies can use internal assessors for standard RMF; FedRAMP requires independent 3PAO assessment.
• Monthly monitoring deliverables: FedRAMP requires monthly vulnerability scans, monthly POA&M updates, and annual penetration testing, with specific formatting and submission requirements.

RMF and CMMC

The Cybersecurity Maturity Model Certification (CMMC) program, administered by the Department of Defense, builds on NIST SP 800-171, which itself derives from SP 800-53. While CMMC does not explicitly require organizations to follow the full RMF lifecycle, the disciplined approach of the RMF directly supports CMMC readiness. Organizations that implement RMF practices, particularly in the Prepare, Select, and Monitor steps, are better positioned to achieve and maintain CMMC certification because they have already established the risk management infrastructure that CMMC assessors evaluate.

PTG's compliance team integrates RMF practices into every CMMC engagement. Craig Petronella, as a CMMC Registered Practitioner, applies the RMF's structured approach to help defense contractors identify their Controlled Unclassified Information (CUI) boundaries, select appropriate 800-171 controls, and establish continuous monitoring processes that satisfy both CMMC and broader federal requirements.

Key RMF Artifacts

The RMF process produces several critical documents that constitute the authorization package. Organizations should understand each artifact's purpose and content requirements.

System Security Plan (SSP)

The SSP is the most comprehensive RMF artifact. It describes the system's boundary, architecture, data flows, interconnections, and the security controls implemented to protect it. The SSP documents every control from the tailored baseline, including whether each control is implemented, planned, inherited, or not applicable, along with a detailed description of how the control is satisfied. For a Moderate-impact system, the SSP typically runs 200 to 400 pages. PTG's AI-powered documentation tools generate SSP templates pre-populated with control descriptions, reducing drafting time by 50 to 60%.

Security Assessment Report (SAR)

The SAR documents the results of the independent security assessment conducted in Step 5. It identifies which controls passed, which failed, and provides detailed findings for each deficiency, including the root cause and potential impact. The SAR provides the Authorizing Official with the evidence needed to make a risk-based authorization decision.

Plan of Action and Milestones (POA&M)

The POA&M tracks all identified security deficiencies, whether from the initial assessment, continuous monitoring, or audit findings. Each POA&M item includes a description of the weakness, the associated risk, planned corrective actions, responsible parties, and target completion dates. The POA&M is a living document that is updated throughout the system's lifecycle.

How AI Changes Risk Management

Artificial intelligence is transforming every step of the RMF. AI systems themselves introduce new categories of risk, including data poisoning, model manipulation, adversarial inputs, and algorithmic bias, that traditional security controls were not designed to address. At the same time, AI tools accelerate the RMF process by automating labor-intensive tasks.

PTG operates at the intersection of AI development and cybersecurity compliance, a combination that few firms offer. PTG's on-premise AI fleet, running on custom GPU infrastructure with full data sovereignty, enables the following RMF accelerations:

• Automated categorization: AI analyzes data flow diagrams, system documentation, and interconnection agreements to recommend FIPS 199 categorization, flagging information types that organizations commonly overlook.
• Intelligent control selection: Machine learning models trained on thousands of SSPs recommend tailored control baselines based on the organization's specific technology stack, threat profile, and regulatory requirements.
• Gap analysis automation: Natural language processing compares existing policy and procedure documents against SP 800-53 control requirements, identifying specific gaps at the sentence level rather than requiring line-by-line manual review.
• Continuous monitoring at scale: AI-powered log analysis and anomaly detection operate 24/7, correlating events across systems to identify control failures and potential security incidents that human analysts would miss in the noise of millions of daily log entries.
• Risk scoring: Quantitative risk models aggregate findings from vulnerability scans, penetration tests, threat intelligence feeds, and control assessment results to produce dynamic risk scores that inform real-time authorization decisions.

For organizations deploying AI systems, the RMF provides the structural framework to manage AI-specific risks. The NIST AI Risk Management Framework (AI RMF) complements SP 800-37 by providing AI-specific guidance that can be integrated into the RMF lifecycle. PTG helps organizations apply both frameworks together, ensuring that AI systems are governed with the same rigor as traditional information systems.

How Non-Federal Organizations Benefit from RMF

While FISMA mandates the RMF for federal agencies, the framework's structured approach to risk management offers substantial value to private-sector organizations. Companies that adopt the RMF benefit in several ways:

• Regulatory alignment: The RMF's control selection process (based on SP 800-53) maps to virtually every major compliance framework, including SOC 2, ISO 27001, HIPAA, and PCI DSS. Organizations that implement the RMF once can demonstrate compliance across multiple frameworks with minimal additional effort.
• Federal contract readiness: Companies considering federal contracts, including defense work requiring CMMC certification, can adopt the RMF early to build the risk management infrastructure they will eventually need.
• Insurance and due diligence: Cyber insurance underwriters increasingly evaluate applicants' risk management maturity. An organization that follows the RMF demonstrates a level of discipline that translates directly into more favorable terms and lower premiums.
• Board-level governance: The SEC's 2023 cybersecurity disclosure rules require public companies to describe their risk management processes. The RMF provides a well-documented, NIST-endorsed framework that satisfies these disclosure requirements.
• Incident response preparedness: The RMF's continuous monitoring and risk assessment activities feed directly into incident detection and response capabilities. Organizations with mature RMF implementations respond to incidents faster and with better outcomes. When incidents escalate to litigation, PTG's Licensed Digital Forensic Examiner capabilities (Craig Petronella, License #604180) provide the forensic expertise to investigate, preserve evidence, and support legal proceedings.

RMF Roles and Responsibilities

The RMF defines several key roles, each with specific responsibilities. Clear role assignment is one of the most important, and most frequently neglected, aspects of a successful RMF implementation.

For SMBs that lack dedicated security staff, PTG provides fractional ISSO and security officer services, filling these critical RMF roles with experienced professionals while the organization builds internal capability. Call 919-348-4912 to discuss how PTG can support your RMF role requirements.

RMF Implementation Checklist

PTG maintains a free, open-source RMF implementation checklist on GitHub. The NIST 800-37 RMF Checklist provides task-by-task guidance for each of the seven RMF steps, including required inputs, expected outputs, responsible roles, and references to source NIST publications. Use it as a practical starting point for your RMF implementation.