NIST SP 800-37 Rev 2

United States

vRev 2

7 domains

47 controls

NIST SP 800-37 Revision 2 Risk Management Framework for Information Systems and Organizations.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

Assess

6 controls

Controls in the Assess domain of NIST SP 800-37 Rev 2 — 6 controls
Code	Title	Description
A-1	Assessor Selection	Select the appropriate assessor or assessment team for the type of control assessment to be conducted.
A-2	Assessment Plan	Develop, review, and approve plans to assess implemented controls.
A-3	Control Assessments	Assess the controls in accordance with the assessment procedures described in the assessment plans.
A-4	Assessment Reports	Prepare the assessment reports documenting the findings and recommendations from the control assessments.
A-5	Remediation Actions	Conduct initial remediation actions on the controls and reassess the remediated controls.
A-6	Plan of Action and Milestones	Prepare the plan of action and milestones (POA&M) based on the findings and recommendations of the assessment reports.

Authorize

5 controls

Controls in the Authorize domain of NIST SP 800-37 Rev 2 — 5 controls
Code	Title	Description
R-1	Authorization Package	Assemble the authorization package and submit the package to the authorizing official for an authorization decision.
R-2	Risk Analysis and Determination	Analyze and determine the risk from the operation or use of the system or the provision of common controls.
R-3	Risk Response	Identify and implement a preferred course of action in response to the risk determined.
R-4	Authorization Decision	The authorizing official renders an authorization decision for the system or common controls.
R-5	Authorization Reporting	Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk.

Categorize

3 controls

Controls in the Categorize domain of NIST SP 800-37 Rev 2 — 3 controls
Code	Title	Description
C-1	System Description	Document the characteristics of the system including purpose, function, components, and connections.
C-2	Security Categorization	Categorize the system and document the results based on the impact of loss of confidentiality, integrity, and availabili...
C-3	Categorization Decision	The Authorizing Official or designated representative reviews and approves the security categorization results and decis...

Implement

2 controls

Controls in the Implement domain of NIST SP 800-37 Rev 2 — 2 controls
Code	Title	Description
I-1	Control Implementation	Implement the controls in the security and privacy plans for the system and for the organization.
I-2	Update Control Implementation Information	Document changes to planned control implementations based on the as-implemented state of controls.

Monitor

7 controls

Controls in the Monitor domain of NIST SP 800-37 Rev 2 — 7 controls
Code	Title	Description
M-1	System and Environment Changes	Monitor the system and its environment of operation for changes that impact the security and privacy posture.
M-2	Ongoing Assessments	Conduct ongoing assessments of control effectiveness in accordance with the continuous monitoring strategy.
M-3	Ongoing Risk Response	Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in the PO...
M-4	Authorization Package Updates	Update plans, assessment reports, and POA&Ms based on the results of the continuous monitoring process.
M-5	Security and Privacy Reporting	Report the security and privacy posture of the system to the authorizing official and other organizational officials on...
M-6	Ongoing Authorization	Conduct ongoing authorizations of the system using the results of continuous monitoring activities and a time-driven or...
M-7	System Disposal	Implement a system disposal strategy and execute required actions when a system is removed from operation.

Prepare

18 controls

Controls in the Prepare domain of NIST SP 800-37 Rev 2 — 18 controls
Code	Title	Description
P-1	Risk Management Roles	Identify and assign individuals to specific roles associated with security and privacy risk management at the organizati...
P-10	Asset Identification	Identify assets that require protection within the system including information, hardware, software, services, and perso...
P-11	Authorization Boundary	Determine the authorization boundary of the system to establish the scope of protection responsibilities.
P-12	Information Types	Identify the types of information processed, stored, and transmitted by the system.
P-13	Information Life Cycle	Identify and understand all stages of the information life cycle for each information type processed by the system.
P-14	Risk Assessment System	Conduct a system-level risk assessment and update results on an ongoing basis.
P-15	Requirements Definition	Define the security and privacy requirements for the system and environment of operation.
P-16	Enterprise Architecture Alignment	Determine the placement of the system within the enterprise architecture.
P-17	Requirements Allocation	Allocate security and privacy requirements to the system and to the environment of operation.
P-18	System Registration	Register the system with appropriate organizational program or management offices.
P-2	Risk Management Strategy	Establish a risk management strategy for the organization that includes a determination and expression of organizational...
P-3	Risk Assessment Organization	Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis.
P-4	Organizationally-Tailored Control Baselines	Establish, document, and publish organizationally-tailored control baselines and cybersecurity framework profiles.
P-5	Common Control Identification	Identify, document, and publish organization-wide common controls that are available for inheritance by organizational s...
P-6	Impact-Level Prioritization	Prioritize organizational systems with the same impact level to focus resources on the most critical systems first.
P-7	Continuous Monitoring Strategy Organization	Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.
P-8	Mission or Business Focus	Identify the missions, business functions, and mission or business processes that the information system is intended to...
P-9	System Stakeholders	Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, and dispos...

Select

6 controls

Controls in the Select domain of NIST SP 800-37 Rev 2 — 6 controls
Code	Title	Description
S-1	Control Selection	Select the controls for the system and the environment of operation, including a baseline from SP 800-53B.
S-2	Control Tailoring	Tailor the controls selected for the system and the environment of operation through scoping, parameterization, and supp...
S-3	Control Allocation	Allocate security and privacy controls to the system and to the environment of operation.
S-4	Documentation of Planned Control Implementations	Document the controls in the security and privacy plans, including planned implementation approaches.
S-5	Continuous Monitoring Strategy System	Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with the organizat...
S-6	Plan Review and Approval	Review and approve the security and privacy plans for the system and the environment of operation.

Frequently Asked Questions

What is NIST SP 800-37 Rev 2?

NIST SP 800-37 Rev 2 is a compliance framework from United States with 7 domains and 47 controls. NIST SP 800-37 Revision 2 Risk Management Framework for Information Systems and Organizations. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-37 Rev 2 have?

NIST SP 800-37 Rev 2 has 47 controls organised across 7 domains. The largest domains are Prepare (18 controls), Monitor (7 controls), Assess (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-37 Rev 2 map to?

NIST SP 800-37 Rev 2 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with NIST SP 800-37 Rev 2 compliance?

Start your NIST SP 800-37 Rev 2 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-37 Rev 2 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 47 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 768 frameworks.

Get Started Free →

Free forever — no credit card required