Link
Search
Menu
Expand
Document
NIST SP 800-37
Risk Management Framework for Information Systems and Organizations
. Executive Summary
. Table of Contents
. Errata
CHAPTER ONE, INTRODUCTION
CHAPTER TWO, THE FUNDAMENTALS
2.1 ORGANIZATION-WIDE RISK MANAGEMENT
2.2 RISK MANAGEMENT FRAMEWORK STEPS AND STRUCTURE
2.3 INFORMATION SECURITY AND PRIVACY IN THE RMF
2.4 SYSTEM AND SYSTEM ELEMENTS
2.5 AUTHORIZATION BOUNDARIES
2.6 REQUIREMENTS AND CONTROLS
2.7 SECURITY AND PRIVACY POSTURE
2.8 SUPPLY CHAIN RISK MANAGEMENT
CHAPTER THREE, THE PROCESS
3.1 PREPARE
• RISK MANAGEMENT ROLES, TASK P-1
• RISK MANAGEMENT STRATEGY, TASK P-2
• RISK ASSESSMENT—ORGANIZATION, TASK P-3
• ORGANIZATIONALLY-TAILORED CONTROL ..., TASK P-4
• COMMON CONTROL IDENTIFICATION, TASK P-5
• IMPACT-LEVEL PRIORITIZATION (Optional) 61, TASK P-6
• CONTINUOUS MONITORING STRATEGY ..., TASK P-7
PREPARE TASKS—SYSTEM LEVEL
• MISSION OR BUSINESS FOCUS, TASK P-8
• SYSTEM STAKEHOLDERS, TASK P-9
• ASSET IDENTIFICATION, TASK P-10
• AUTHORIZATION BOUNDARY, TASK P-11
• INFORMATION TYPES, TASK P-12
• INFORMATION LIFE CYCLE, TASK P-13
• RISK ASSESSMENT—SYSTEM, TASK P-14
• REQUIREMENTS DEFINITION, TASK P-15
• ENTERPRISE ARCHITECTURE, TASK P-16
• REQUIREMENTS ALLOCATION, TASK P-17
• SYSTEM REGISTRATION, TASK P-18
3.2 CATEGORIZE
• SYSTEM DESCRIPTION, TASK C-1
• SECURITY CATEGORIZATION, TASK C-2
• SECURITY CATEGORIZATION REVIEW AND APPROVAL, TASK C-3
3.3 SELECT
• CONTROL SELECTION, TASK S-1
• CONTROL TAILORING, TASK S-2
• CONTROL ALLOCATION, TASK S-3
• DOCUMENTATION OF PLANNED CONTROL IMPLEMENTATIONS, TASK S-4
• CONTINUOUS MONITORING STRATEGY—SYSTEM, TASK S-5
• PLAN REVIEW AND APPROVAL, TASK S-6
3.4 IMPLEMENT
• CONTROL IMPLEMENTATION, TASK I-1
• UPDATE CONTROL IMPLEMENTATION INFORMATION, TASK I-2
3.5 ASSESS
• ASSESSOR SELECTION, TASK A-1
• ASSESSMENT PLAN, TASK A-2
• CONTROL ASSESSMENTS, TASK A-3
• ASSESSMENT REPORTS, TASK A-4
• REMEDIATION ACTION, TASK A-5
• PLAN OF ACTION AND MILESTONES, TASK A-6
3.6 AUTHORIZE
• AUTHORIZATION PACKAGE, TASK R-1
• RISK ANALYSIS AND DETERMINATION, TASK R-2
• RISK RESPONSE, TASK R-3
• AUTHORIZATION DECISION, TASK R-4
• AUTHORIZATION REPORTING, TASK R-5
3.7 MONITOR
• SYSTEM AND ENVIRONMENT CHANGES, TASK M-1
• ONGOING ASSESSMENTS, TASK M-2
• ONGOING RISK RESPONSE, TASK M-3
• AUTHORIZATION PACKAGE UPDATES, TASK M-4
• SECURITY AND PRIVACY REPORTING, TASK M-5
• ONGOING AUTHORIZATION, TASK M-6
• SYSTEM DISPOSAL, TASK M-7
. REFERENCES
. GLOSSARY
. ACRONYMS
. ROLES AND RESPONSIBILITIES
. SUMMARY OF RMF TASKS
Table E-1
Table E-2
Table E-3
Table E-4
Table E-5
Table E-6
Table E-7
. SYSTEM AND COMMON CONTROL AUTHORIZATIONS
. TYPES OF AUTHORIZATIONS
. AUTHORIZATION PACKAGE
. AUTHORIZATION DECISIONS
. AUTHORIZATION DECISION INFORMATION
. ONGOING AUTHORIZATION
. REAUTHORIZATION
. EVENT-DRIVEN TRIGGERS AND SIGNIFICANT CHANGES
. TYPE AND FACILITY AUTHORIZATIONS
. TRADITIONAL AND JOINT AUTHORIZATIONS
. AUTHORIZATION BOUNDARY CONSIDERATIONS
. SYSTEM LIFE CYCLE CONSIDERATIONS
Just the Docs on GitHub
APPENDIX E
SUMMARY OF RMF TASKS
RMF TASKS, RESPONSIBILITIES, AND SUPPORTING ROLES
Table of contents
Table E-1
Table E-2
Table E-3
Table E-4
Table E-5
Table E-6
Table E-7