NIST SP 800-37

NIST Special Publication 800-37 is the guide for applying the Risk Management Framework (RMF) to information systems. It describes the step-by-step process for preparing your system, categorizing it, selecting controls, implementing them, assessing their effectiveness, authorizing the system, and monitoring it continuously.

This publication is the RMF playbook — it tells you what to do at each step, what documents to produce, and who is responsible. If you're involved in getting a system through the ATO process, 800-37 is your guide.

Why It Matters

Understanding the RMF process described in 800-37 helps you support your government customers more effectively and ensures your deliverables align with the authorization process they must follow.