NIST SP 800-37

NIST SP 800-37 is a U.S. National Institute of Standards and Technology (NIST) Special Publication that defines the Risk Management Framework (RMF) for information systems. It describes a structured, lifecycle-based process for managing cybersecurity and privacy risk to federal information systems and organizations.

The publication is formally titled “Guide for Applying the Risk Management Framework to Federal Information Systems” (current revision numbers may change over time). It provides process steps, roles, and decision points for selecting, implementing, assessing, authorizing, and monitoring security and privacy controls, typically in alignment with control catalogs such as NIST SP 800-53.

Key elements

Within regulated and industrial environments, NIST SP 800-37 is commonly referenced as a process model for managing cyber and information security risk to both IT and OT systems. Core elements include:

• System categorization: Determining the impact level of a system based on potential harm from loss of confidentiality, integrity, or availability.
• Control selection: Choosing appropriate security and privacy controls (often from NIST SP 800-53) based on the categorization and risk tolerance.
• Control implementation: Implementing the selected controls in the system and its environment of operation.
• Control assessment: Evaluating whether controls are implemented correctly, operating as intended, and producing the desired outcome.
• System authorization: A formal risk-based decision by an authorizing official on whether to operate the system.
• Continuous monitoring: Ongoing oversight of security posture, changes, and control effectiveness over the system lifecycle.

Use in industrial and OT environments

In industrial operations, NIST SP 800-37 is often used as a reference framework when:

• Extending federal-style RMF practices to manufacturing OT networks, MES, SCADA, and process control systems.
• Structuring how security controls (for example, from NIST SP 800-53) are selected, assessed, and monitored for plant systems handling regulated or sensitive data.
• Aligning cybersecurity risk management with existing validation, change control, and quality management processes.

Relationship to NIST SP 800-53

NIST SP 800-37 and NIST SP 800-53 are closely related but address different needs:

• NIST SP 800-37: Defines the overall risk management and authorization process (the “how”).
• NIST SP 800-53: Provides a catalog of security and privacy controls that can be selected and applied (the “what”).

In practice, organizations apply the RMF steps from NIST SP 800-37 and use NIST SP 800-53 as a primary source for control requirements, tailoring them to their specific systems and risk profile.

Common confusion

• Not a control catalog: NIST SP 800-37 does not list detailed security controls; it defines the risk management process that relies on separate control catalogs, commonly NIST SP 800-53.
• Not limited to IT-only: While originally oriented to federal information systems, the RMF concepts are often adapted for OT, industrial control systems, and manufacturing execution environments, but this adaptation is organization-specific.

Link to reassessment and monitoring

In the context of NIST SP 800-53 control reassessment, NIST SP 800-37 provides the overarching lifecycle and continuous monitoring concepts that guide how frequently organizations review and update their controls. Reassessment intervals are derived from risk, impact level, and system changes rather than a fixed schedule defined in NIST SP 800-37 itself.