NIST Special Publication 800 -37 Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy JOINT TASK FORCE This publication is available free of charge from : https://doi.org/10.6028/NIST.SP.800- 37r2 This publication contains comprehensive updates to the Risk Management Framework . The updates include an alignment with the co nstructs in the NIST Cybersecurity Framework; the integration of privacy risk management processes ; an alignment with system life cycle security engineering proc esses; and the in corporation of suppl y chain risk management processes. Organizations can use the frameworks and processes in a complementary manner within the RMF to effectively manage security and privacy risks to organizational operations and assets, individuals, other organizations, and the Nation. Revision 2 includes a set of organization -wide RMF tasks that are designed to prepare information system own ers to conduct system -level risk management activities. The intent is to increase the effectiveness, efficiency, and cost-effectiveness of the RMF by establishing a closer connection to the organization’s missions and business functions and improv ing the c ommunications among senior leaders, managers, and operational personnel. NIST Special Publication 800 -37 Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy JOINT TASK FORCE This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800- 37r2 December 2018 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology NIST SP 800 -37, REVISION 2 RISK MANA GEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS A System Life Cycle Approach for Security and Privacy ________________________________________________________________________________________________ PAGE i This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800 -37r2 Authority This publication has been developed by NIST to further its statutory responsibiliti es under the Federal Information Security Modernization Act ( FISMA), 44 U.S.C. § 3551 et seq. , Public Law (P.L.) 113 -283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal informati on systems, but such standards and guidelines shall not apply to national security systems without the express approval of the appropriate federal officials exercising policy authority over such systems. This guideline is consistent with requirements of th e Office of Management and Budget (OMB) Circular A -130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, OMB Director, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Techno logy Special Publication 800 -37, Revision 2 Natl. Inst. St and. Technol. Spec. Publ. 800 -37, Rev. 2, 183 page s (December 2