NIST 800 37 Revision 2 – RMF for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Download the presentation in this Video & Learn more here:

This is an overview of NIST 800-37 Revision 2. I discuss the changes, the sources and Cybersecurity Framework.

NIST Special Publication 800-37, Revision 2
Risk Management Framework for Security and Privacy
Initial Public Draft: May 2018
Final Public Draft: July 2018
Final Publication: October 2018

NIST 37-800 Rev 2:

Executive Order:


Cybersecurity Framework:

NIST SP 800-53 (Revision 5):

Source of Changes:
President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Office of Management and Budget Memorandum M-17-25 – next-generation Risk Management Framework (RMF) for systems and organizations
NIST SP 800-53 Revision 5 Coordination



Ms Teri Takai, DoD CIO, just signed the new Risk Management Framework document into existence.  DoDI 8510.01, Risk Management Framework for DoD IT  is what will be replacing the DIACAP.  This document will support the DoDD 8500, Cybersecurity.



When I was teaching Risk Management Framework in 2011, the DoD kept telling us that it would be released in 2012.  They were about 2 years let.  I am not surprised since they did the same thing with between DITSCAP and DIACAP.  It took them about 3 year to officially move to DIACAP.  Then it takes much longer for all the units to move to the new standard.

The government  is very slow.


diarmf risk management of information security

diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring


For more information go to:


DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

With the move from certification and accreditation (C&A) to risk management framework, comes a few new terms.  “C&A” will be replaced with assessment and authorization.  Even though “information assurance (IA) controls” will be call “security controls”, the definition and work is still the same, but the hope is that its done continuously and more cost-effective.


Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome.  An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision

Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.

The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”

– NIST SP 800-37 rev 1

March 14, 2014, UPDATE RMF – DoD IT:

DIARMF will be known as Risk Management Framework for DoD IT.


diacap diarmf

diacap to diarmf: intro


diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf


Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources