NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
This publication contains comprehensive updates to the
Risk Management Framework. The updates include an
alignment with the constructs in the NIST Cybersecurity
Framework; the integration of privacy risk management
processes; an alignment with system life cycle security
engineering processes; and the incorporation of supply
chain risk management processes. Organizations can
use the frameworks and processes in a complementary
manner within the RMF to effectively manage security
and privacy risks to organizational operations and
assets, individuals, other organizations, and the Nation.
Revision 2 includes a set of organization-wide RMF tasks
that are designed to prepare information system owners
to conduct system-level risk management activities. The
intent is to increase the effectiveness, efficiency, and
cost-effectiveness of the RMF by establishing a closer
connection to the organization’s missions and business
functions and improving the communications among
senior leaders, managers, and operational personnel.
https://doi.org/10.6028/NIST.SP.800-37r2
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
December 2018
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
https://doi.org/10.6028/NIST.SP.800-37r2
NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
________________________________________________________________________________________________
PAGE i
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
including minimum requirements for federal information systems, but such standards and
guidelines shall .
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development life cycles, and incorporating supply chain risk management. Organizations can use the RMF and its processes to effectively manage security, privacy, and supply chain risks to operations and assets.
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development lifecycles, and incorporating supply chain risk management. Organizations can use the RMF and other frameworks in a complementary manner to effectively manage security and privacy risks.
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
Bluedog White Paper - overview of RMF implementation.pdftom termini
The Risk Management Framework (RMF) is an integral component of information security management, primarily associated with NIST's SP 800-37 guide, as a part of the broader E-Government Act of 2002, seeks to enhance the management of electronic government services and processes.
RMF guides federal agencies through a well-defined seven-step process, ensuring the security, authorization, and effective management of IT systems. Notably, RMF Revision 2 stands out as the first NIST publication to holistically address both privacy and security risk management within a single, integrated methodology.
These steps include preparation, categorization, security controls, authorizing systems, and monitoring. Implementing these steps ensures a comprehensive approach to information security and risk mitigation, aligning with regulatory requirements and the commitment to safeguard data confidentiality, integrity, and availability. NIST's RMF brings standardization and improved reciprocity across government controls and language, enabling risk-focused solutions tailored to diverse components and systems.
This document summarizes NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems and organizations. It describes how organizations can select controls to protect operations, assets, individuals and organizations from threats. The controls are customizable and implemented as part of an organization-wide risk management process. It also describes how specialized control overlays can be developed for specific environments. Finally, it addresses both security functionality and assurance to ensure systems are sufficiently trustworthy.
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
This document summarizes the Federal Information Security Management Act (FISMA) reporting requirements and the National Institute of Standards and Technology (NIST) Special Publication 800-37 guidelines for certification and accreditation (C&A) of federal information systems. It outlines the four phases of the C&A process - initiation, security certification, security accreditation, and continuous monitoring. The purpose is to provide guidance to information security managers on applying the NIST risk management framework to comply with FISMA and ensure adequate security of federal information systems.
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development life cycles, and incorporating supply chain risk management. Organizations can use the RMF and its processes to effectively manage security, privacy, and supply chain risks to operations and assets.
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development lifecycles, and incorporating supply chain risk management. Organizations can use the RMF and other frameworks in a complementary manner to effectively manage security and privacy risks.
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
Bluedog White Paper - overview of RMF implementation.pdftom termini
The Risk Management Framework (RMF) is an integral component of information security management, primarily associated with NIST's SP 800-37 guide, as a part of the broader E-Government Act of 2002, seeks to enhance the management of electronic government services and processes.
RMF guides federal agencies through a well-defined seven-step process, ensuring the security, authorization, and effective management of IT systems. Notably, RMF Revision 2 stands out as the first NIST publication to holistically address both privacy and security risk management within a single, integrated methodology.
These steps include preparation, categorization, security controls, authorizing systems, and monitoring. Implementing these steps ensures a comprehensive approach to information security and risk mitigation, aligning with regulatory requirements and the commitment to safeguard data confidentiality, integrity, and availability. NIST's RMF brings standardization and improved reciprocity across government controls and language, enabling risk-focused solutions tailored to diverse components and systems.
This document summarizes NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems and organizations. It describes how organizations can select controls to protect operations, assets, individuals and organizations from threats. The controls are customizable and implemented as part of an organization-wide risk management process. It also describes how specialized control overlays can be developed for specific environments. Finally, it addresses both security functionality and assurance to ensure systems are sufficiently trustworthy.
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
This document summarizes the Federal Information Security Management Act (FISMA) reporting requirements and the National Institute of Standards and Technology (NIST) Special Publication 800-37 guidelines for certification and accreditation (C&A) of federal information systems. It outlines the four phases of the C&A process - initiation, security certification, security accreditation, and continuous monitoring. The purpose is to provide guidance to information security managers on applying the NIST risk management framework to comply with FISMA and ensure adequate security of federal information systems.
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34 Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010) CODEN: NSPUE2
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its st.
This document summarizes NIST Special Publication 800-53 Revision 5 which provides a catalog of security and privacy controls for information systems and organizations. It contains controls that protect operations, assets, individuals and organizations from various threats. The controls are flexible, customizable and implemented as part of managing risk. They address diverse requirements from mission needs, laws, and policies. The controls consider both functionality, the strength of functions, and assurance, the confidence in security/privacy capabilities. This helps ensure trustworthy information technology and systems.
PYA Principal Barry Mathis presented “The IT Analysis Paralysis,” in which attendees:
Received a compressive review of the many IT frameworks that can be used to develop effective internal audit programs.
Learned the differences between commercial, federal, and industry frameworks.
Received tips, tools, and techniques for creating an effective framework based on risk assessment and identified risks.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
The document summarizes a risk assessment framework for an electronic medical records storage company. It discusses identifying risks and vulnerabilities, determining the likelihood and impact of threats, assessing security controls, and recommending additional controls to mitigate risks. The goal is to comply with HIPAA requirements and adopt standards from the National Institute of Standards and Technology.
NIST Special Publication 800-53 Revision 4 Securit.docxvannagoforth
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-53, Revision 4
462 pages (April 2013)
CODEN: NSPUE2
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
Comments on this publication ma ...
Instructions Describe the risk assessment process and how to desi.docxnormanibarber20063
The document provides guidance on conducting risk assessments and designing response plans. It discusses how senior management support is important for effective risk assessment and response planning. When IT designs plans without senior management buy-in, the results can be ineffective. A top-down approach is used in information security to ensure senior management support and input on risk management.
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
The document discusses two cybersecurity frameworks that are widely adopted in the US - the NIST Cybersecurity Framework (CSF) and the information security management system (ISMS) defined in ISO 27001. The CSF provides guidance for critical infrastructure sectors through its core functions, profiles, and implementation tiers. ISO 27001 specifies requirements for a best practice ISMS focused on people, processes, and technology. Both frameworks use a risk-based approach and are outcome focused. Adopting one or both can help organizations address the increasing costs and risks of data breaches through a controlled, long-term approach to cybersecurity.
This document discusses cybersecurity standards and frameworks. It provides information on ISO 27001, a widely recognized international cybersecurity standard. It also discusses NIST Publication 800-53, the most widely used cybersecurity framework in the US, which defines 20 control families for managing cybersecurity risks. The document explains the differences between standards and frameworks and lists some of the major control families in NIST 800-53, including access control, awareness and training, audit and accountability, and incident response.
This document provides guidance for conducting risk assessments to support risk management activities at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results over time. Risk assessments are an important part of effective enterprise-wide risk management for both public and private sector organizations that depend on information systems and technology.
This document provides guidance for conducting risk assessments to support risk management at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results. Risk assessments are a key part of effective risk management and help inform decision making throughout the system development life cycle. Organizations have flexibility in applying this guidance based on their specific needs.
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
This document provides guidance for applying systems security engineering principles and practices to the development of secure systems. It discusses integrating security considerations into each stage of the system development life cycle based on the International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers 15288 standard for systems and software engineering. The purpose is to address security issues from stakeholders' protection needs and requirements perspectives using established engineering processes to ensure those needs are adequately addressed throughout the system life cycle.
This document provides guidance on conducting risk assessments and is intended for organizations to help:
1) Determine the most appropriate risk responses to ongoing cyber threats and disasters.
2) Guide investment strategies and decisions for the most effective cyber defenses to help protect operations, assets, individuals, and the nation.
3) Maintain ongoing situational awareness of the security state of systems and their operating environments.
The guidance focuses on risk assessments as one of the four steps in the risk management process and expands on factors like threats, vulnerabilities, impacts, and likelihoods to assess information security risk at the organizational, mission, and system levels. Templates and scales are also provided to facilitate risk assessments.
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
NIST Special Publication 800-39 Managi.docxvannagoforth
NIST Special Publication 800-39 Managing Information
Security Risk
Organization, Mission, and Information
System View
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
I N F O R M A T I O N S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
March 2011
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix ...
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
A cyber security audit evaluates an organization's cyber security policies, procedures, and controls to identify vulnerabilities. It assesses whether preventative tools like firewalls and antivirus software are in place and properly maintained, and whether users receive security awareness training. A cyber security audit follows standards from the National Institute of Standards and Technology and examines threats from both internal and external factors. The audit process involves management, which owns risk decisions; risk management professionals, who assess risks and solutions; and internal auditors, who provide an independent evaluation of controls.
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
This document provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The RMF is a six-step process for integrating security and risk management activities into the system development life cycle. The six steps are: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls. Applying the RMF helps ensure security controls are built into systems and risks are managed on an ongoing basis through activities such as continuous monitoring. The document is intended for individuals involved in system development, security, and risk management.
1IntroductionThe objective of this study plan is to evaluate.docxrobert345678
1
Introduction
The objective of this study plan is to evaluate the viability of our solution in relation to previously conducted test cases for companies operating in industries analogous to those of our own. In this section, we will concentrate on the manner in which these use cases measure the performance characteristics of various technical and behavioral qualities connected with an investment in technology made on behalf of a business. The viewpoints and data sources of stakeholders will be incorporated into our measuring system. This measurement framework will be utilized by us in order to assess and analyze the overall performance of our product. After the solution has been implemented, we will conduct post-implementation evaluations to determine how the solution affected the organization. The management of change will play a significant role in our overall research agenda. The plan will adhere to a certain format in providing the findings of the data analysis.
Measurement framework
In order to present an all-encompassing picture of performance, the measuring framework must to take into account the many stakeholder viewpoints as well as the various data sources. Perspectives from stakeholders may come from a variety of sources, such as the user community, project managers, or senior leadership. Customer feedback, system logs, and performance statistics are three examples of potential data sources (Thabane, 2009).
The purpose of the measurement framework is to supply stakeholders with viewpoints and data sources that may be utilized to evaluate the effectiveness of an investment in technology. The framework consists of four dimensions: behavioral characteristics, organizational aspects, user factors, and technological qualities (McShane, 2018). To evaluate how well the technology investment is working out, there is a separate set of performance indicators linked with each of the dimensions of the evaluation.
Indicators such as system uptime, reaction time, and throughput are examples of technical qualities. Indicators that make up behavioral qualities include things like user happiness, adoption rates, and the costs of training. Indicators like as return on investment (ROI) and total cost of ownership are included in the category of organizational variables (TCO). The metrics that make up user factors include things like user happiness, adoption rates, and training expenses (McShane, 2018).
The measuring framework draws its information from a variety of data sources, including organizational data, user data, performance data, and financial data. The return on investment (ROI) and total cost of ownership (TCO) of the technological investment may both be calculated using financial data (Jalal, 2017). The uptime, reaction time, and throughput of the system may all be evaluated based on the performance statistics. Data from users may be analyzed to determine factors such as user happiness, adoption rates, and the costs of training (Thabane,.
More Related Content
Similar to NIST Special Publication 800-37 Revision 2 Ris.docx
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34 Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010) CODEN: NSPUE2
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its st.
This document summarizes NIST Special Publication 800-53 Revision 5 which provides a catalog of security and privacy controls for information systems and organizations. It contains controls that protect operations, assets, individuals and organizations from various threats. The controls are flexible, customizable and implemented as part of managing risk. They address diverse requirements from mission needs, laws, and policies. The controls consider both functionality, the strength of functions, and assurance, the confidence in security/privacy capabilities. This helps ensure trustworthy information technology and systems.
PYA Principal Barry Mathis presented “The IT Analysis Paralysis,” in which attendees:
Received a compressive review of the many IT frameworks that can be used to develop effective internal audit programs.
Learned the differences between commercial, federal, and industry frameworks.
Received tips, tools, and techniques for creating an effective framework based on risk assessment and identified risks.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
The document summarizes a risk assessment framework for an electronic medical records storage company. It discusses identifying risks and vulnerabilities, determining the likelihood and impact of threats, assessing security controls, and recommending additional controls to mitigate risks. The goal is to comply with HIPAA requirements and adopt standards from the National Institute of Standards and Technology.
NIST Special Publication 800-53 Revision 4 Securit.docxvannagoforth
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-53, Revision 4
462 pages (April 2013)
CODEN: NSPUE2
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
Comments on this publication ma ...
Instructions Describe the risk assessment process and how to desi.docxnormanibarber20063
The document provides guidance on conducting risk assessments and designing response plans. It discusses how senior management support is important for effective risk assessment and response planning. When IT designs plans without senior management buy-in, the results can be ineffective. A top-down approach is used in information security to ensure senior management support and input on risk management.
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
The document discusses two cybersecurity frameworks that are widely adopted in the US - the NIST Cybersecurity Framework (CSF) and the information security management system (ISMS) defined in ISO 27001. The CSF provides guidance for critical infrastructure sectors through its core functions, profiles, and implementation tiers. ISO 27001 specifies requirements for a best practice ISMS focused on people, processes, and technology. Both frameworks use a risk-based approach and are outcome focused. Adopting one or both can help organizations address the increasing costs and risks of data breaches through a controlled, long-term approach to cybersecurity.
This document discusses cybersecurity standards and frameworks. It provides information on ISO 27001, a widely recognized international cybersecurity standard. It also discusses NIST Publication 800-53, the most widely used cybersecurity framework in the US, which defines 20 control families for managing cybersecurity risks. The document explains the differences between standards and frameworks and lists some of the major control families in NIST 800-53, including access control, awareness and training, audit and accountability, and incident response.
This document provides guidance for conducting risk assessments to support risk management activities at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results over time. Risk assessments are an important part of effective enterprise-wide risk management for both public and private sector organizations that depend on information systems and technology.
This document provides guidance for conducting risk assessments to support risk management at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results. Risk assessments are a key part of effective risk management and help inform decision making throughout the system development life cycle. Organizations have flexibility in applying this guidance based on their specific needs.
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
This document provides guidance for applying systems security engineering principles and practices to the development of secure systems. It discusses integrating security considerations into each stage of the system development life cycle based on the International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers 15288 standard for systems and software engineering. The purpose is to address security issues from stakeholders' protection needs and requirements perspectives using established engineering processes to ensure those needs are adequately addressed throughout the system life cycle.
This document provides guidance on conducting risk assessments and is intended for organizations to help:
1) Determine the most appropriate risk responses to ongoing cyber threats and disasters.
2) Guide investment strategies and decisions for the most effective cyber defenses to help protect operations, assets, individuals, and the nation.
3) Maintain ongoing situational awareness of the security state of systems and their operating environments.
The guidance focuses on risk assessments as one of the four steps in the risk management process and expands on factors like threats, vulnerabilities, impacts, and likelihoods to assess information security risk at the organizational, mission, and system levels. Templates and scales are also provided to facilitate risk assessments.
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
NIST Special Publication 800-39 Managi.docxvannagoforth
NIST Special Publication 800-39 Managing Information
Security Risk
Organization, Mission, and Information
System View
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
I N F O R M A T I O N S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
March 2011
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix ...
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
A cyber security audit evaluates an organization's cyber security policies, procedures, and controls to identify vulnerabilities. It assesses whether preventative tools like firewalls and antivirus software are in place and properly maintained, and whether users receive security awareness training. A cyber security audit follows standards from the National Institute of Standards and Technology and examines threats from both internal and external factors. The audit process involves management, which owns risk decisions; risk management professionals, who assess risks and solutions; and internal auditors, who provide an independent evaluation of controls.
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
This document provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The RMF is a six-step process for integrating security and risk management activities into the system development life cycle. The six steps are: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls. Applying the RMF helps ensure security controls are built into systems and risks are managed on an ongoing basis through activities such as continuous monitoring. The document is intended for individuals involved in system development, security, and risk management.
Similar to NIST Special Publication 800-37 Revision 2 Ris.docx (20)
1IntroductionThe objective of this study plan is to evaluate.docxrobert345678
1
Introduction
The objective of this study plan is to evaluate the viability of our solution in relation to previously conducted test cases for companies operating in industries analogous to those of our own. In this section, we will concentrate on the manner in which these use cases measure the performance characteristics of various technical and behavioral qualities connected with an investment in technology made on behalf of a business. The viewpoints and data sources of stakeholders will be incorporated into our measuring system. This measurement framework will be utilized by us in order to assess and analyze the overall performance of our product. After the solution has been implemented, we will conduct post-implementation evaluations to determine how the solution affected the organization. The management of change will play a significant role in our overall research agenda. The plan will adhere to a certain format in providing the findings of the data analysis.
Measurement framework
In order to present an all-encompassing picture of performance, the measuring framework must to take into account the many stakeholder viewpoints as well as the various data sources. Perspectives from stakeholders may come from a variety of sources, such as the user community, project managers, or senior leadership. Customer feedback, system logs, and performance statistics are three examples of potential data sources (Thabane, 2009).
The purpose of the measurement framework is to supply stakeholders with viewpoints and data sources that may be utilized to evaluate the effectiveness of an investment in technology. The framework consists of four dimensions: behavioral characteristics, organizational aspects, user factors, and technological qualities (McShane, 2018). To evaluate how well the technology investment is working out, there is a separate set of performance indicators linked with each of the dimensions of the evaluation.
Indicators such as system uptime, reaction time, and throughput are examples of technical qualities. Indicators that make up behavioral qualities include things like user happiness, adoption rates, and the costs of training. Indicators like as return on investment (ROI) and total cost of ownership are included in the category of organizational variables (TCO). The metrics that make up user factors include things like user happiness, adoption rates, and training expenses (McShane, 2018).
The measuring framework draws its information from a variety of data sources, including organizational data, user data, performance data, and financial data. The return on investment (ROI) and total cost of ownership (TCO) of the technological investment may both be calculated using financial data (Jalal, 2017). The uptime, reaction time, and throughput of the system may all be evaluated based on the performance statistics. Data from users may be analyzed to determine factors such as user happiness, adoption rates, and the costs of training (Thabane,.
1Project One Executive SummaryCole Staats.docxrobert345678
1
Project One: Executive Summary
Cole Staats
Southern New Hampshire University
BUS 225: Critical Business Skills for Success
Jennyfer Puentes
November 14, 2022
Project One: Executive SummaryProblem
With the restricted economic activity expected because of the COVID-19 outbreak, and the rise in inflation the revenue for the automobile engine and parts manufacturing industry has been adjusted to decline by 10.9% by the end of 2022 (Pantalon, 2022). Based on the current challenges the automotive industry faces, we must diversify our engine manufacturing and its operations to expand our revenue. In this presentation, I will be using qualitative and quantitative data to explain why I think our company should rapidly explore the ever-evolving and growing popularity of the electric car industry and develop electric motors. I will show the qualitative data which will focus on the industry reports of engine manufacturing inside the automotive industry. The quantitative data that I will provide will estimate the projections for future operations and provide fact-checked historical data on the automotive industry. Automotive Manufacturing Industry
After conducting extensive research into the current automotive industry status, where I focused on the performance and expectations for the industry's future, the 2021 measured revenue of the US car and automobile manufacturing was $75 billion. This is compared to previous years, such as 2020 $69 billion, and in 2019 and 2018 $92 billion (MarketLine 2021). Although we saw a rise from 2020 to 2021 in revenue the automobile manufacturing industry revenue will continue to not keep pace with previous years. As the domestic demand for new vehicles trends higher, three automotive hubs are expected to gain greater traction over the next few years. With that said the US automotive industry is heavily established in the Great Lakes region. This region represents just over 36% of the automobile manufacturers in the US. Some of the most successful automobile making are located here which include the Ford Motor Company, General Motors, and Fiat Chrysler. All these manufacturers are in Michigan which makes up 15% of all automobile manufacturing revenue in the US. With that said there are 2 more regions where automobile manufacturers operate that make up 50% of all us manufacturers' locations. The Regions are the West Region, making up 25.4% of the industry locations, and the Southeast Region, making up 24.6% of the industry locations. After conducting research, the consumer's current mindset is shifting towards a “greener” option for the automobile. This option would have a smaller carbon footprint, providing an increase in producing vehicles that are more environmentally friendly. As a result of this new stance on a “greener” option by the consumer the hybrid and the electric car are gaining popularity and are expected to multiply over the next five years (MarketLine 2018). “In 2025 the North American hybri.
1
Management Of Care
Chamberlain University
NR452: Capstone
Professor Alison Colvin.
Date: November 23, 2022.
Management of Care
Management of care involves organizing, prioritizing, maintaining strict patient confidentiality, providing patient with efficient care, education to patient and families, risk stratification, coordination of care transition and medication management. Patient care management is provided to client by nurses and other health care professionals “Management of the critically injured patient is optimized by a coordinated team effort in an organized trauma system that allow for rapid assessment and initiation of life- preserving therapies. (Cantrell, E., & Doucet, J. 2018). Effective patient care management can impact patient heath more positively, when all healthcare professionals work together to provide quality care in promoting patient centered care. Adequate patient care can prevent readmission or admission, also can reduce distress, total cost of care, improve self-management, disease control and patient overall health.
Patient care is important to patient because its ensure that patient receive the needed possible care they deserve when in the hospital and out of the hospital, patient will feel their demand is understood and listened to if they health needs are met and understood by professionals that know how to manage their health care needs, health care management team member work together to ensure patient safety through effective communication and collaboration, advocating for patient by connecting patient to community and social services resources that will promote their health care needs can be beneficial to patient, environmental and home risk assessment, and effective facilitation of communication between members of the healthcare team.
Nurses play a role in managing a patient health, roles such as: Critical thinking skills, in this case the nurse can recognize any shift in patient health status which plays a significant role in decision making and patient centered care. Time management: delegation, prioritization such as knowing what to do first, what is important, and knowing what task is more important for the patient at a particular time. Patient education is also one of the many role’s nurses do to educate patient on what to expect during a procedure, or during recovery, also teachings on complications or adverse effects of a medication. Clinical reasoning and judgement which will promote quality of health through patient centered care that addresses patient specific health care needs. Holman, H. C., Williams, “et al”. (2019).
References
Cantrell, E., & Doucet, J. (2018). Initial Management of Life-Threatening Trauma.
DeckerMed Critical Care of the Surgical Patient.
https://doi.org/10.2310/7ccsp.2129
Holman, H. C., Williams, D., Johnson, J., Sommer, S., Ball, B. S., Lemon, T.,
& Assessment Technologies Institute. (2019). Nursing leadership
an.
1NOTE This is a template to help you format Project Part .docxrobert345678
This document provides a template for a student to complete a statistical analysis project involving descriptive statistics, hypothesis testing, and regression analysis. The template outlines the content and statistical analyses to be performed on two variables - sales and calls - including descriptive statistics, hypothesis tests, correlation, regression equation, and estimates. The student is instructed to input their results, analyses, and conclusions into the template for their assignment submission.
15Problem Orientation and Psychologica.docxrobert345678
1
5
Problem Orientation and Psychological Distress Among Adolescents: Do Cognitive Emotion Regulation Strategies Mediate Their Relationship?
Student's name; students' names
Department affiliation; university affiliation
Course name; course number
Instructors’ name
Assignment due date
Part One
The development of essential attitudes and abilities that help determine a person's susceptibility to psychological discomfort occurs throughout adolescence's formative years. This particular research aimed to investigate the relationship between problem-solving-oriented and cognitive-behavioral techniques for emotion regulation and levels of psychological discomfort (Speyer etal.,2021).
Notably, the issue of violence among adolescents is increasingly recognized as a severe problem in terms of public health. However, little research has investigated the importance of techniques to control cognitive emotion in teenagers, despite the increased interest in psychographic risk factors for violent conduct. The primary focus of this study will be to investigate the frequency of violent behaviors shown by adolescents and to determine the nature of the connection that exists between specific coping mechanisms for regulating cognition and emotion and various manifestations of aggressive behavior. Using confidential, self-reporting questionnaires, the research will conduct a cross-sectional survey of 3,315 students in grades 7 to 10 to investigate methods by which young adolescents may manage their cognitive processes, emotions, and actions connected to violence. The participants will be notified about the survey, but their personal information will not be public under any circumstances since this would violate ethical standards.
The influence of a father on his children might also vary depending on the gender and age of the kid. For boys, parental psychological distress is related to higher internalizing and externalizing issues throughout early adolescence. This finding lends credence to the notion that this stage of development may be especially significant in father-son exchanges. On the other hand, there is a correlation between maternal and paternal psychological discomfort in early infancy and increased levels of internalizing and externalizing difficulties in females (Speyer et al.,2021). Growing up with a father who struggles with mental illness may make girls more reserved, reducing the possibility that they would acquire issues that are manifested outside their bodies. This is one of the possible explanations.
Part Two
The whole of this project shall be guided by the research questions below: (what is the prevalence of adolescent violent behaviors? what is the relationship between specific strategies to regulate cognitive emotion and forms of violent behavior?)
To help operationalize the variables, a logistic regression model will be used to determine the nature of the connection between specific violent actions .
122422, 850 AMHow to successfully achieve business integrat.docxrobert345678
12/24/22, 8:50 AMHow to successfully achieve business integration - Chakray
Page 1 of 8https://www.chakray.com/how-to-successfully-achieve-business-integration/
How to successfully achieve
business integration
The whole process of integrated
business computing is a big step for
any company. From the moment it
decides to group all systems and
applications, the company must devote
much effort in creating a more
productive environment in accordance
Subscribe to our newsletter
Home Articles How to successfully achieve business integration
Enter your email address below to receive
the latest articles, ebooks and newsletters
from Chakray direct to your inbox!
MORE ENCONTACTINITIATIVES EXPERTISE TECHNOLOGIES SERVICES IMPLEMENTATION
https://www.chakray.com/
https://www.chakray.com/articles/
https://www.chakray.com/
https://www.chakray.com/contact/
https://www.chakray.com/initiatives/
https://www.chakray.com/expertise/
https://www.chakray.com/technologies/
https://www.chakray.com/services/
https://www.chakray.com/implementation/
12/24/22, 8:50 AMHow to successfully achieve business integration - Chakray
Page 2 of 8https://www.chakray.com/how-to-successfully-achieve-business-integration/
to the environment in which it is
located. Business integration is a
necessity. From many points of view
and experiences, the different strategies
have brought success to many
companies that were therefore
encouraged to carry out the entire
integration process. The benefits speak
for themselves: lower expenses for
systems, automation of processes, less
time spent in work, better control of
information.
-You can’t miss the 7 benefits of
Enterprise Application Integration!-
This is due to the fact that integrated
business computing works better. The
company’s IT works as a stage for the
renewal of its functions. Its capacity for
updating and deleting errors, as well as
cloud adaptation or hybrid operation,
allows it to generate unparalleled
results.
Companies with integrated business
computing are not only more
productive, but they also stand above
their competitors thanks to the great
work capacity they can assume. It
doesn’t matter if the systems they have
are complex, the management is simple
and allows work policies to be fulfilled
and its employees to perform better.
Share
Popular Articles
Email
SUBSCRIBE
The four dimensions of a hybrid
integration platform
Why All Organisations Must
Prioritise Digital Agility In Response
To Coronavirus
What are microservices?:
Definition, characteristics,
advantages and disadvantages
5 main benefits of Identity
Management
Contact our team to discuss your
needs and find out how Chakray
can help can help deliver your
successful outcomes, talk to our
experts!
GET IN TOUCH
https://www.chakray.com/en/7-benefits-of-enterprise-application-integration-eai/
https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.chakray.com%2Fhow-to-successfully-achieve-business-integration%2F
https://twitter.com/intent/tw.
1PAGE 5West Chester Private School Case StudyGrand .docxrobert345678
1
PAGE
5
West Chester Private School Case Study
Grand Canyon University
MGT-420: Organizational Behavior and Management
December 11th, 2022
West Chester Private School
Your introduction should be typed here. It should be at least four sentences and include a thesis statement that introduces all the key points of the paper. Please note that you should follow all APA writing rules within your essay. This means avoid first and second person, do not use contractions, and use citations throughout your paper. The final sentence in your introduction must be a strong thesis statement that introduces every key topic that will be introduced in the paper. Remember that a thesis should be one sentence. Here is an example: In the pages to follow, West Chester Private School (WCPS) will be discussed in the context of open systems, organizational culture, the decision to close and the closure process, the impact of technology and innovation on stakeholders, administration closure options, the plans for future direction of WCPS, along with the four functions of management.
External Environment and Open Systems
There are certain ways in which organizations interact with their external environment (as open systems). These ways rely on the Systems Approach to Management Theory, which perceives an organization as an open system that consists of interdependent and interrelated parts interacting as sub-systems (Jackson, 2017). Generally, organizations rely on the exchange of resources and information with their environments. More so, they cannot hold complete control over their behavior and actions, which are significantly impacted by external forces. For example, an organization may be impacted by various environmental conditions such as government regulations, client demands, and raw material availability. As an open system, an organization can interact with the external environment in the context of inputs, transformations, and outputs. Inputs refer to both human and non-human resources like materials, energy, and information. Transformations refer to the conversion of inputs into outputs. For example, a school can transform a student into an educated individual. Finally, outputs refer to what an organization is giving to the environment.
Internal Environment and Organizational Culture
At the time of the closure, the effectiveness of West Chester Private School (WCPS) as an open system was inadequate. One important factor that impacts the effectiveness of an open system is feedback. Feedback refers to the information that an open system receives from the external environment, which can be used to maintain a system at optimal working conditions or a steady state (Jung & Vakharia, 2019). In the case of WCPS, feedback could be received from parents, teachers, and students. At the time of the closure, none of these stakeholders was consulted. Instead, WCPS made a unilateral decision to close down two campuses without considering the input of parents, te.
12Toxoplasmosis and Effects on Abortion, And Fetal A.docxrobert345678
12
Toxoplasmosis and Effects on Abortion, And Fetal Abnormalities
Toxoplasmosis and Effects on Abortion, And Fetal Abnormalities
Abstract
The placenta is an immune-privileged organ that may tolerate antigen exposure without eliciting a strong inflammatory response that could result in an abortion. After that, the pregnancy can progress normally. Th1 answers, characterized by interferon-, are essential for suppressing intracellular infections. Therefore, the maternal immune system finds a catch-22 when intracellular parasites invade the placenta. The pro-inflammatory response required to eradicate the virus carries the danger of causing an abortion. Toxoplasma is a potent parasite that causes lifetime infections and is a leading cause of abortions in people and animals. This paper speculates that the pregnancy outcome may be affected by the Toxoplasma strain and the effectors of the parasite, both of which can modify the signaling pathways of the host cell.
Introduction
Fetuses infected with the protozoan parasite Toxoplasma gondii can develop a disorder known as toxoplasmosis, sometimes called congenital toxoplasmosis. This disease is transmitted from mother to child in the womb. A miscarriage or a stillbirth might happen as a result. A child with this illness may also have significant and progressively deteriorating difficulties in their vision, hearing, motor skills, cognitive ability, and other areas of development. The parasite Toxoplasma gondii is blamed for many pregnancies ending in miscarriage (Arranz-Solís et al., 2021). Most abortions happen in the first trimester of pregnancy or during the early stages of acute sickness. This research aimed to determine if women who had an abortion were more likely to be infected with toxoplasmosis.
To make matters worse, the toxoplasmosis-causing Toxoplasma gondii is an obligate intracellular pathogen that infects nearly every animal species with a thermoregulatory system. Transferring Toxoplasma from one host to another requires the development of tissue cysts that are infectious when ingested. This means the parasite is incentivized to ensure that the host organism lives during the infection. The parasite does this by stimulating an immune response powerful enough to limit parasite reproduction. Toxoplasma, on the other hand, uses a unique set of effectors to evade the immune response and ensure that the parasite population does not decrease to zero.
Results
Type II strains are the most common cause of infection in both animal and human hosts. However, all four clonal lineages of Toxoplasma may be found throughout Europe and North America. It has been established, however, that the bulk of the South American isolates identified is genetically distinct from the strains seen in North America and Europe. Certain sorts of isolates have been labeled as atypical strains. Birth abnormalities apart, type II strains are the most common in Europe and North America, where the great majority of .
122022, 824 PM Rubric Assessment - SOC1001-Introduction to .docxrobert345678
This document contains a rubric used to assess a student's draft and final submission of a sociology project. The rubric evaluates students on criteria such as including an introduction and conclusion, developing body paragraphs with support and examples, using proper grammar and APA style, and submitting a draft for feedback. Points are awarded on a scale from 0 to 40 for each criterion, with 0 being no submission and higher scores reflecting more developed, error-free work. The total possible score is 120 points.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
(If the numbers are too big for your calculator, try
this online calculator.
22.
image11.png
image21.png
image8.png
image13.png
image16.png
image18.png
image23.png
image14.png
image15.png
image19.png
image22.png
image6.png
image24.png
image12.png
image5.png
image3.png
image17.png
image7.png
image4.png
image1.png
image2.png
image20.png
image9.png
image10.png
1 of 1 DOCUMENT
JAMES E. PETERSON, Plaintiff-Appellant, v. HAROLD KENNEDY, RICHARD
A. BERTHELSEN, and NATIONAL FOOTBALL LEAGUE PLAYERS
ASSOCIATION, Defendants-Appellees
No. 84-5788
UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT
771 F.2d 1244; 1985 U.S. App. LEXIS 23077; 120 L.R.R.M. 2520; 103 Lab. Cas.
(CCH) P11,677
February 6, 1985, Argued and Submitted - Los Angeles, California
September 16, 1985, Decided
PRIOR HISTORY: [**1] Appeal from the United States District Court for the Southern District of California, D.C.
NO. CV-80-1810-N, Honorable Leland C. Nielsen, District Judge, Presiding.
CASE SUMMARY:
PROCEDURAL POSTURE: Plaintiff professional football player appealed from judgments of the United States
District Court for the Southern District of California entered in favor of defendant union on plaintiff's claim for breach
of the duty of fair representation and in favor of defendant attorneys on plaintiff's legal malpractice claim.
OVERVIEW: Plaintiff football player filed suit against defendant union for breach of the duty of fair representation,
alleging that defendant attorneys, who were staff counsel for defendant union, erroneously advised him to file the wrong
type of grievance and failed to rectify the error when there was an opportunity to do so. Plaintiff also claimed that
defendant attorneys committed malpractice. The trial court entered judgment for defendants. On appeal, the court
affirmed. The court found that defendant union did not act in an arbitrary, discriminatory, or bad faith manner and held
that mere negligence or an error in judgment was insufficient to impose liability for breach of the duty of fair
representation. The court affirmed the directed verdict in favor of defendant first attorney because a union attorney may
not be held liable in malpractice to an individual union member for acts performed as the union's agent in the collective
bargaining process. The court affirmed the summary judgment entered in favor of defendant second attorney. The trial
court lacked personal jurisdiction over him because his only contact with the forum state were phone calls and letters.
OUTCOME: The court affirmed the judgment in favor of defendant union because it did not breach its duty of fair
representation. The court affirmed the directed verdict in favor of defendant first attorney because he was not liable in
malpractice to plaintiff football player for acts he performed as the union's agent. The court affi.
121122, 1204 AM Activities - IDS-403-H7189 Technology and S.docxrobert345678
12/11/22, 12:04 AM Activities - IDS-403-H7189 Technology and Society 22EW2 - Southern New Hampshire University
https://learn.snhu.edu/d2l/common/dialogs/nonModal/blank.d2l?d2l_body_type=1&d2l_nonModalDialog_cb=d2l_cntl_68566de1f6094c60a65417448e14cb1f_1&d2l_nonModalDialog_cbwin=68566de1f6094c60a6541744… 1/5
IDS 403 Module Six Activity Rubric
Activity: 6-2 Activity: Reflection: Society
Course: IDS-403-H7189 Technology and Society 22EW2
Name: Jayee Johnson
Criteria Proficient Needs Improvement Not Evident Criterion Score
Reliable Evidence
from Varied Sources
30 / 30
Criterion Feedback
30 points
Integrates reliable
evidence from varied
sources throughout
the paper to support
analysis
22.5 points
Shows progress
toward proficiency,
but with errors or
omissions; areas for
improvement may
include drawing from
a diverse pool of
perspectives, using
more varied sources
to support the
analysis, or
integrating evidence
and sources
throughout the paper
to support the
analysis
0 points
Does not attempt
criterion
12/11/22, 12:04 AM Activities - IDS-403-H7189 Technology and Society 22EW2 - Southern New Hampshire University
https://learn.snhu.edu/d2l/common/dialogs/nonModal/blank.d2l?d2l_body_type=1&d2l_nonModalDialog_cb=d2l_cntl_68566de1f6094c60a65417448e14cb1f_1&d2l_nonModalDialog_cbwin=68566de1f6094c60a6541744… 2/5
Criteria Proficient Needs Improvement Not Evident Criterion Score
You did a good job in integrating evidence and support from outside sources.
Different General
Education Lens
22.5 / 30
Criterion Feedback
You needed to identify an alternative lens through which to view your specific technology. How would your analysis
of your identified technologyʼs role in your event have been different if viewed through this lens?
30 points
Explains at least one
way in which the
analysis might have
been different if
another general
education lens was
used to analyze the
technologyʼs role in
the event
22.5 points
Shows progress
toward proficiency,
but with errors or
omissions; areas for
improvement may
include connecting a
different lens to
technologyʼs role in
the event or
providing more
support of that
connection
0 points
Does not attempt
criterion
12/11/22, 12:04 AM Activities - IDS-403-H7189 Technology and Society 22EW2 - Southern New Hampshire University
https://learn.snhu.edu/d2l/common/dialogs/nonModal/blank.d2l?d2l_body_type=1&d2l_nonModalDialog_cb=d2l_cntl_68566de1f6094c60a65417448e14cb1f_1&d2l_nonModalDialog_cbwin=68566de1f6094c60a6541744… 3/5
Criteria Proficient Needs Improvement Not Evident Criterion Score
Interactions
30 / 30
Criterion Feedback
I thought that you did a really good job here in considering how your analysis of technology might impact your
interactions with those from other cultures or backgrounds.
30 points
Explains how
analyzing the
technologyʼs role in
the event can help
interactions with
those of a different
viewpoint, culture, or
perspectiv.
1. When drug prices increase at a faster rate than inflation, the .docxrobert345678
1. When drug prices increase at a faster rate than inflation, the groups of people that bear the burden of this increase are taxpayers and Medicare beneficiaries. Taxpayers are paying higher taxes as a result of increased government spending, and Medicare beneficiaries cannot keep up with the price of their prescriptions. When it comes to the factors in making a decision about increasing drug prices, I believe Big Pharma companies should act in a socially responsible manner, meaning they should base their decisions not solely on profit, and not solely on healthcare. There should be a balance, and new policies would be beneficial to help maintain that balance.
2. Lower-level employees have the responsibility to provide accurate information to management so that they can make the most informed decision. Lower-level employees also have the responsibility to not purposefully make material mistakes or purposefully not correct a known mistake.
3. Increased government spending will increase taxes for taxpayers and decrease available spending for other worthy issues. Taxpayers will essentially pay more in taxes and therefore have less income available. With drug prices rising faster than inflation, this will cause a widening gap between annual income and costs. Also, private health insurance costs will increase premiums and out of pocket costs for members. The stakeholders most directly impacted are the senior citizens that are dependent on their medication and can’t afford it or any other out of pocket costs because of the already wide gap between their income and expenses. I believe the government itself can be seen as a stakeholder as well because as they continue to increase Medicare funding, their deficit increases, causing them to take action to allocate resources effectively.
4. If the increase in price of existing drugs is preventing those who need those drugs from obtaining them, then to me it is hard to justify the increase based on R&D. There will always be a trade-off between affordable drugs and how quickly we can get new drugs. The government must devise a policy that improves Big Pharma companies’ incentive for affordability
and innovation.
5. Explain what you think each of the following statements means in the context of moral development.
. How far are you willing to go to do the right thing?
1. Stage 6 of moral development is about universal “self-chosen” ethical principles. This stage is about following your conscience even if it violates the law. In thinking of moral development, as time passes, one’s level of ethical reasoning advances and some issues may spark moral outrage that force a response.
. How much are you willing to give up to do what you believe is right?
1. This statement relates to moral development and how sometimes doing the right thing can have negative consequences. For example, an employee may notice a purposeful mistake by a manager. Let’s assume the employee is certain they will receiv.
1. Which of the following sentences describe a child functioning a.docxrobert345678
This document contains a 5 question multiple choice assessment about child language development and metalinguistic abilities. It tests understanding of rhyming, sound identification, syllable segmentation and blending skills in children ages 2-6. These skills develop as children progress from pre-linguistic to metalinguistic levels of language understanding. The document also contains a literature review on factors that impact work-life balance and job satisfaction such as stress, behavioral traits, attachment styles and domain interference/facilitation. It proposes a study using surveys and journaling to identify issues for employees and design interventions to improve work-life balance and performance.
1. How did the case study impact your thoughts about your own fina.docxrobert345678
1. How did the case study impact your thoughts about your own finances?
2. What were your thoughts and observations as you created your own balance sheet?
3. How might the balance sheet help you in future financial planning?
4. How close to reality do you think your estimated personal cash flow statement will be if you track your actual income and expenses for a month?
1. It gave me the desire to track my finances more closely and objectively. I liked how we can determine our net worth through some simple calculations and our inflows and outflows per month. Generally, I rely on simple finance apps like
Mint to track my finances. Currently, I do not create monthly budgets, but I now believe such action could be helpful.
2. I know that I have more assets than I am counting in the excel sheet. Therefore, my net worth is potentially higher. I also have a variety of streaming platforms.
I would benefit from switching from one platform to another month by month to save money. Streaming platforms are not a significant expense. Currently, my most considerable expense is transportation. Since gas prices are falling, this will help increase my surplus.
3. Accounting is math: it either works or doesn’t. Each can be traced from its inception (a sale, an expense, a money transfer) to the line on the financial statement. Since I don’t have much experience with financials, I try to seek out a mentor who is a family member. A balance sheet will ensure that I am not spending foolishly and ensure I am making appropriate purchases within the limits I set for myself. Proper planning will ensure I maximize my net worth.
4. It is important to consider cash flow when planning for the future
. It is important to save money every month in order to be able to make better financial decisions in the future. I hope to use some investing approaches for beginners to purchase funds without getting into debt. Most people underestimate how much they truly spend in a month. Therefore, I am underestimating how much I spend as well. I eat out quite a bit with friends and family, so my restaurant bill for the holidays might be higher than anticipated.
Foreign Policy Association
China and America
Author(s): David M. Lampton
Source: Great Decisions , 2018, (2018), pp. 35-46
Published by: Foreign Policy Association
Stable URL: https://www.jstor.org/stable/10.2307/26593695
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact [email protected]
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
https://about.jstor.org/terms
Foreign Policy Association is collaborating with JSTOR to digitize, preserve.
1 The Biography of Langston Hughes .docxrobert345678
1
The Biography of Langston Hughes
Yanai Gonzalez
Ana G Mendez
November 17, 2022
The Biography of Langston Hughes
THE BIOGRAPHY OF LANGSTON HUGHES
2
On February 1, 1901, James Mercer Langston Hughes was born. He was born in
Joplin, Missouri, to James and Caroline Hughes, into a family of enslaved people and
enslavers (Leach, 2004). His father departed from the family, later divorcing their family,
forcing Langston's mother to move to Lawrence, Kansas, with his maternal grandmother. It
was from the latter that Langston learned about African American traditions, installing an
enormous sense of pride into the young man (Hughes et al., 2001). This greatly influenced his
writing, as evidenced by poems such as Mother to Son. He would then go on to join
Columbia University to study engineering, where he would write poetry for the Columbia
Daily Spectator. As a result of racial discrimination, he finally left the school and resided in
Harlem, where he was engulfed by the vibrant feeling of life (Leach, 2004).
Langston began cruising as a crewman aboard the S.S. Malone in 1923, after doing a
few odd jobs. He subsequently took his first white-collar job as Carter G. Woodson's assistant
at the Association for the Study of African American Life and History, a historian. He'd then
leave his work since it didn't enable him to write. He would later work as a busboy. He got
his big writing break when he met Vachel Lindsay, a famous poet of the time, with whom
Langston shared his poetry (Leach, 2004). Lindsay was heavily impressed and helped
Langston reach the big stage. Langston then went on to earn a Bachelor of Arts degree from
Lincoln University.
Langston began his literary career in 1921 by publishing The Crisis in the National
Association for the Advancement of Colored People magazine (Leach, 2004). The poem
Mother to Son was in this book and would go on to get much acclaim. He would go on to
release The Weary Blues along with other novels, short stories, and poems (Hughes et al.,
2001). He participated heavily in the Harlem Renaissance. Langston would pass away on
May 22, 1967, from surgery complications while being treated for prostate cancer.
Mother To Son by Langston Hughes
THE BIOGRAPHY OF LANGSTON HUGHES
3
Well, son, I’ll tell you:
Life for me ain’t been no crystal stair.
It’s had tacks in it,
And splinters,
And boards torn up,
And places with no carpet on the floor—
Bare.
But all the time
I’se been a-climbin’ on,
And reachin’ landin’s,
And turnin’ corners,
And sometimes goin’ in the dark
Where there ain’t been no light.
So boy, don’t you turn back.
Don’t you set down on the steps
’Cause you finds it’s kinder hard.
Don’t you fall now—
For I’se still goin’, honey,
I’se still climbin’,
And life for me ain’t been no crystal stair.
References
THE BIOGRAPHY OF LANGSTON HUGHES
4
Hughes, L., Hubbard, .
1 Save Our Doughmocracy A Moophoric Voter Registratio.docxrobert345678
This document provides a proposal for an event called "Save Our Doughmocracy: A Moophoric Voter Registration & Ice Cream Social Event" hosted by Ben & Jerry's and the Democratic National Committee. The event aims to help people register to vote in Georgia through a fun experience of sampling a new Ben & Jerry's ice cream flavor and connecting with Democratic candidates. The proposal outlines the event goals, strategy, SWOT analysis, target audience, location, timeline, budget, and marketing plan. The key goals are to support voter registration and Ben & Jerry's social mission of advocating for democracy. The event's uniqueness of combining voter registration, politics, and ice cream into one experience gives it a competitive advantage over similar
1 MINISTRY OF EDUCATION UNIVERSITY OF HAIL .docxrobert345678
1
MINISTRY OF EDUCATION
UNIVERSITY OF HAIL
COLLEGE OF ENGINEERING
كلية الهندسة
College of Engineering
Research Proposal Template
Please structure your Research Proposal based on the headings provided below, use a clear and legible font
and observe the page/word limit.
Research Project Title:
Motor Vehicle Safety Defects and Recall System: An Empirical Study in Saudi Arabia
Student Details:
Student Name
Student ID
Email Address
Date of Submission
Research Project
Serial No.
Supervisor Name Supervisor Signature Start Date
Only for College Officials Use
College Approval
Master of Quality Engineering and Management
Research Proposal
2
Master of Quality Engineering and Management 2020-2021
كلية الهندسة
College of Engineering
1- Research Title
Provide a short descriptive title of your proposed research (max. 20 words)
Motor Vehicle Safety Defects and Recall System: An Empirical Study in Saudi Arabia
2- Research Summary
Summarize the aims, significance and expected outcomes of your proposed research (max. 250 words).
It is to set the mechanism for recalling vehicles with manufacturing defects that affect in
one way or another the safety of vehicles and their users, and this is done by linking a
unified system in which the defective vehicle data is added and called in the system to
the maintenance centers of the concerned vehicle agencies. Workmanship defects are
classified as: (1) Basic defects, which are considered to have a serious and direct impact
on the safety of the vehicle and its users, and the inspection process cannot be passed
until after the defect is fixed. (2) Warning defects, which are considered a defect in the
product, but the effect of the defect does not threaten the safety of the vehicle and its
users pass the examination process and the defect is added as a warning only.
This research proposal aims to find the most effective way to reach every defected
vehicle and the effective way to deal with the vehicle owner to do the necessary changes
especially if it's related to safety in a systematic way. The purpose of the project is to
develop a new business model that was never used everywhere in the world and Saudi
Arabia will take the lead to publish this model to the rest of the world. Ensuring that the
practice will be used is the most effective practise as enabling to force the defected car
owner to have their vehicles fixed and the defected was solved.
Master of Quality Engineering and Management
Research Proposal
3
Master of Quality Engineering and Management 2020-2021
كلية الهندسة
College of Engineering
3- Introduction
This section should provide a description of the basic facts and importance of the research area - What is the research
area, the motivation of research, and how important is it for the industry practice/knowledge advancement? (max. 200 .
1
Assessment Brief
Module Code
Module Name Managing Operations and the Supply Chain
Level
7
Module Leader Andrew Gough
Module Code
BSOM046
Assessment title:
AS1: The Future of Work
Weighting: 40%
Submission dates:
13 December 2022, please see NILE (Northampton Integrated
Learning Environment) under Assessment Information
Feedback and Grades
due:
12 January 2023
Please read the whole assessment brief before starting work on the Assessment Task.
The Assessment Task
You will conduct a review of the literature to identify the origins of the concept of the
Technological Unemployment and to chart its development up to the present day.
Following your review, you are to critically evaluate the impact of Technological
Unemployment on a company of your choice.
You will be expected to illustrate your discussion with examples from the trade press
and other authoritative sources.
The word count limit for this assessment is 1800 words (+/- 10%). In line with normal
practice, tables, figures, references and appendices are excluded from this word count.
Pawanrat Meepian
Pawanrat Meepian
2
Assessment Breakdown
1. Establish the scenario for your report by selecting an organisation of any type, sector and
size to focus your report on. Describe:
a) Which organisation is it? (type, sector and size)
b) What are the main products and/or services provided by the organisation?
c) Who are the main customers?
(10% of word count)
2. Prepare a literature review, charting the development of the concept of Technological
Unemployment from its inception until the present day.
Ensure that you include references to at least 10 peer-reviewed articles, including the 2017
paper by Frey and Osborne that has been supplied. You may also find relevant reviews in
the trade press and from other authoritative sources.
(45% of word count)
3. Apply Frey and Osborne’s findings (Appendix A) in the context of your chosen company.
Consider a low impact scenario, when only jobs at high risk (> 70%) are replaced
by technology. How does Frey and Osborne’s study suggest that the company will change?
Compare the predictions implied by Frey and Osborne’s study with the recent work by
Cords and Prettner (2022).
In your view, is Technological Unemployment a net benefit to society?
(45% of word count)
Learning Outcomes
On successful completion of this assessment, you will be able to:
a) Recognise, analyse and critically reflect on key concepts, managerial frameworks
and techniques available to operations managers.
b) Demonstrate conceptual and practical understanding of the opportunities and
constraints that organisational characteristics place on operations managers and on
operational decision making in the supply chain context.
f) Demonstrate ability to relate theory to practice and to identify and proactively
anticipate broader implications for.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
How to Fix the Import Error in the Odoo 17Celine George
An import error occurs when a program fails to import a module or library, disrupting its execution. In languages like Python, this issue arises when the specified module cannot be found or accessed, hindering the program's functionality. Resolving import errors is crucial for maintaining smooth software operation and uninterrupted development processes.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
NIST Special Publication 800-37 Revision 2 Ris.docx
1. NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
This publication contains comprehensive updates to the
Risk Management Framework. The updates include an
alignment with the constructs in the NIST Cybersecurity
Framework; the integration of privacy risk management
processes; an alignment with system life cycle security
engineering processes; and the incorporation of supply
chain risk management processes. Organizations can
use the frameworks and processes in a complementary
manner within the RMF to effectively manage security
and privacy risks to organizational operations and
2. assets, individuals, other organizations, and the Nation.
Revision 2 includes a set of organization-wide RMF tasks
that are designed to prepare information system owners
to conduct system-level risk management activities. The
intent is to increase the effectiveness, efficiency, and
cost-effectiveness of the RMF by establishing a closer
connection to the organization’s missions and business
functions and improving the communications among
senior leaders, managers, and operational personnel.
https://doi.org/10.6028/NIST.SP.800-37r2
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
December 2018
3. U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of
Commerce for Standards and Technology
https://doi.org/10.6028/NIST.SP.800-37r2
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE i
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
4. Authority
This publication has been developed by NIST to further its
statutory responsibilities under the
Federal Information Security Modernization Act (FISMA), 44
U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information
security standards and guidelines,
including minimum requirements for federal information
systems, but such standards and
guidelines shall not apply to national security systems without
the express approval of the
appropriate federal officials exercising policy authority over
such systems. This guideline is
consistent with requirements of the Office of Management and
Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the
standards and guidelines made
mandatory and binding on federal agencies by the Secretary of
Commerce under statutory
authority. Nor should these guidelines be interpreted as altering
or superseding the existing
authorities of the Secretary of Commerce, OMB Director, or any
other federal official. This
publication may be used by nongovernmental organizations on a
voluntary basis and is not
subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special
Publication 800-37, Revision 2
Natl. Inst. Stand. Technol. Spec. Publ. 800-37, Rev. 2, 183
pages (December 2018)
5. CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology
Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-
8930
Email: [email protected]
All comments are subject to release under the Freedom of
Information Act (FOIA) [FOIA96].
Certain commercial entities, equipment, or materials may be
identified in this document to describe
an experimental procedure or concept adequately. Such
identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to
imply that the entities, materials, or
6. equipment are necessarily the best available for the purpose.
There may be references in this publication to other
publications currently under development by
NIST in accordance with its assigned statutory responsibilities.
The information in this publication,
including concepts, practices, and methodologies, may be used
by federal agencies even before the
completion of such companion publications. Thus, until each
publication is completed, current
requirements, guidelines, and procedures, where they exist,
remain operative. For planning and
transition purposes, federal agencies may wish to closely follow
the development of these new
publications by NIST.
Organizations are encouraged to review draft publications
during the designated public comment
periods and provide feedback to NIST. Many NIST publications,
other than the ones noted above,
are available at https://csrc.nist.gov/publications.
https://doi.org/10.6028/NIST.SP.800-37r2
mailto:[email protected]
https://csrc.nist.gov/publications
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
7. PAGE ii
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Reports on Computer Systems Technology
The National Institute of Standards and Technology (NIST)
Information Technology Laboratory
(ITL) promotes the U.S. economy and public welfare by
providing technical leadership for the
Nation’s measurement and standards infrastructure. ITL
develops tests, test methods, reference
data, proof of concept implementations, and technical analyses
to advance the development
and productive use of information technology (IT). ITL’s
responsibilities include the development
of management, administrative, technical, and physical
standards and guidelines for the cost-
effective security of other than national security-related
information in federal information
systems. The Special Publication 800-series reports on ITL’s
research, guidelines, and outreach
efforts in information systems security and privacy and its
collaborative activities with industry,
government, and academic organizations.
Abstract
8. This publication describes the Risk Management Framework
(RMF) and provides guidelines for
applying the RMF to information systems and organizations.
The RMF provides a disciplined,
structured, and flexible process for managing security and
privacy risk that includes information
security categorization; control selection, implementation, and
assessment; system and
common control authorizations; and continuous monitoring. The
RMF includes activities to
prepare organizations to execute the framework at appropriate
risk management levels. The
RMF also promotes near real-time risk management and
ongoing information system and
common control authorization through the implementation of
continuous monitoring
processes; provides senior leaders and executives with the
necessary information to make
efficient, cost-effective, risk management decisions about the
systems supporting their missions
and business functions; and incorporates security and privacy
into the system development life
cycle. Executing the RMF tasks links essential risk management
processes at the system level to
risk management processes at the organization level. In
addition, it establishes responsibility
and accountability for the controls implemented within an
organization’s information systems
and inherited by those systems.
Keywords
assess; authorization to operate; authorization to use;
authorizing official; categorize; common
control; common control authorization; common control
provider; continuous monitoring;
9. control assessor; control baseline; cybersecurity framework
profile; hybrid control; information
owner or steward; information security; monitor; ongoing
authorization; plan of action and
milestones; privacy; privacy assessment report; privacy control;
privacy plan; privacy risk; risk
assessment; risk executive function; risk management; risk
management framework; security;
security assessment report; security control; security
engineering; security plan; security risk;
senior agency information security officer; senior agency
official for privacy; supply chain risk
management; system development life cycle; system owner;
system privacy officer; system
security officer; system-specific control.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE iii
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
10. Acknowledgements
This publication was developed by the Joint Task Force
Interagency Working Group. The group
includes representatives from the Civil, Defense, and
Intelligence Communities. The National
Institute of Standards and Technology wishes to acknowledge
and thank the senior leaders from
the Departments of Commerce and Defense, the Office of the
Director of National Intelligence,
the Committee on National Security Systems, and the members
of the interagency working
group whose dedicated efforts contributed significantly to the
publication.
Department of Defense Office of the Director of National
Intelligence
Dana Deasy John Sherman
Chief Information Officer Chief Information Officer
Essye B. Miller
Vacant
Principal Deputy CIO and DoD Senior Information Deputy
Chief Information Officer
Security Officer
Thomas P. Michelli
Susan Dorr
Acting Deputy Chief Information Officer for Cybersecurity
Director, Cybersecurity Division and Chief
Information Security Officer
Vicki Michetti Wallace Coggins
11. Director, Cybersecurity Policy, Strategy, International,
Director, Security Coordination Center
and Defense Industrial Base Directorate
National Institute of Standards and Technology Committee on
National Security
Systems
Charles H. Romine Thomas Michelli
Director, Information Technology Laboratory Chair—Defense
Community
Donna Dodson Susan Dorr—Intelligence Community
Cybersecurity Advisor, Information Technology Laboratory
Co-Chair
Matt Scholl Vicki Michetti
Chief, Computer Security Division Tri-Chair—Defense
Community
Kevin Stine Chris Johnson
Chief, Applied Cybersecurity Division Tri-Chair—
Intelligence Community
Ron Ross Paul Cunningham
FISMA Implementation Project Leader Tri-Chair—Civil
Agencies
Joint Task Force Working Group
Ron Ross Kevin Dulany Peter Duspiva Kelley Dempsey
NIST, JTF Leader DoD Intelligence Community NIST
Taylor Roberts Ellen Nadeau Victoria Pillitteri Naomi
Lefkovitz
OMB NIST NIST NIST
Jordan Burris Charles Cutshall Kevin Herms Carol Bales
12. OMB OMB OMB OMB
Jeff Marron Kaitlin Boeckl Kirsten Moncada Jon Boyens
NIST NIST OMB NIST
Dorian Pappas Dominic Cussatt Esten Porter Celia
Paulsen
CNSS Veterans Affairs The MITRE Corporation NIST
Daniel Faigin Christina Sames Julie Snyder Martin
Stanley
The Aerospace Corporation The MITRE Corporation The
MITRE Corporation Homeland Security
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE iv
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
The authors also wish to recognize Matt Barrett, Kathleen
Coupe, Jeff Eisensmith, Chris Enloe,
Ned Goren, Matthew Halstead, Jody Jacobs, Ralph Jones,
13. Martin Kihiko, Raquel Leone, and the
scientists, engineers, and research staff from the Computer
Security Division and the Applied
Cybersecurity Division for their exceptional contributions in
helping to improve the content of
the publication. A special note of thanks to Jim Foti and the
NIST web team for their outstanding
administrative support.
In addition, the authors wish to acknowledge the United States
Air Force and the “RMF Next”
initiative, facilitated by Air Force CyberWorx, that provided the
inspiration for some of the new
ideas in this update to the RMF. The working group, led by
Lauren Knausenberger, Bill Bryant,
and Venice Goodwine, included government and industry
representatives Jake Ames, Chris
Bailey, James Barnett, Steve Bogue, Wes Chiu, Kurt Danis,
Shane Deichman; Joe Erskine, Terence
Goodman, Jason Howe, Brandon Howell, Todd Jacobs, Peter
Klabe, William Kramer, Bryon
Kroger, Kevin LaSalle, Dinh Le, Noam Liran, Sam Miles,
Michael Morrison, Raymond Tom Nagley,
Wendy Nather, Jasmine Neal, Ryan Perry, Eugene Peterson,
Lawrence Rampaul, Jessica
Rheinschmidt, Greg Roman, Susanna Scarveles, Justin
Schoenthal, Christian Sorenson, Stacy
Studstill, Charles Wade, Shawn Whitney, David Wilcox, and
Thomas Woodring.
Finally, the authors also gratefully acknowledge the significant
contributions from individuals
and organizations in both the public and private sectors,
nationally and internationally, whose
thoughtful and constructive comments improved the overall
quality, thoroughness, and
14. usefulness of this publication.
HISTORICAL CONTRIBUTIONS TO NIST SPECIAL
PUBLICATION 800-37
The authors acknowledge the many individuals who contributed
to previous versions of Special
Publication 800-37 since its inception in 2005. They include
Marshall Abrams, William Barker,
Beckie Koonge, Roger Caslow, John Gilligan, Peter Gouldmann,
Richard Graubart, John Grimes,
Gus Guissanie, Priscilla Guthrie, Jennifer Fabius, Cita Furlani,
Richard Hale, Peggy Himes, William
Hunteman, Arnold Johnson, Donald Jones, Stuart Katzke,
Eustace King, Mark Morrison, Sherrill
Nicely, Karen Quigg, George Rogers, Cheryl Roby, Gary
Stoneburner, Marianne Swanson, Glenda
Turner, and Peter Williams.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE v
This publication is available free of charge from
15. : https://doi.org/10.6028/N
IST.S
P
.800-37r2
Executive Summary
As we push computers to “the edge,” building a complex world
of interconnected information
systems and devices, security and privacy risks (including
supply chain risks) continue to be a
large part of the national conversation and topics of great
importance. The significant increase
in the complexity of the hardware, software, firmware, and
systems within the public and
private sectors (including the U.S. critical infrastructure)
represents a significant increase in
attack surface that can be exploited by adversaries. Moreover,
adversaries are using the supply
chain as an attack vector and effective means of penetrating our
systems, compromising the
integrity of system elements, and gaining access to critical
assets.
The Defense Science Board Report, Resilient Military Systems
and the Advanced Cyber Threat
[DSB 2013], provides a sobering assessment of the
vulnerabilities in the United States
Government, the U.S. critical infrastructure, and the systems
supporting the mission-essential
operations and assets in the public and private sectors.
“…The Task Force notes that the cyber threat to U.S. critical
16. infrastructure is outpacing
efforts to reduce pervasive vulnerabilities, so that for the next
decade at least the United States
must lean significantly on deterrence to address the cyber threat
posed by the most capable
U.S. adversaries. It is clear that a more proactive and systematic
approach to U.S. cyber
deterrence is urgently needed…”
There is an urgent need to further strengthen the underlying
information systems, component
products, and services that we depend on in every sector of the
critical infrastructure—ensuring
that the systems, products, and services are sufficiently
trustworthy throughout the system
development life cycle (SDLC) and can provide the necessary
resilience to support the economic
and national security interests of the United States. System
modernization, the increased use of
automation, and the consolidation, standardization, and
optimization of federal systems and
networks to strengthen the protection for high value assets
[OMB M-19-03], are key objectives
for the federal government.
Executive Order (E.O.) 13800, Strengthening the Cybersecurity
of Federal Networks and Critical
Infrastructure [EO 13800] recognizes the increasing
interconnectedness of Federal information
systems and requires heads of agencies to ensure appropriate
risk management not only for the
Federal agency’s enterprise, but also for the Executive Branch
as a whole. The E.O. states:
“…The executive branch operates its information technology
(IT) on behalf of the American people.
17. Its IT and data should be secured responsibly using all United
States Government capabilities...”
“…Cybersecurity risk management comprises the full range of
activities undertaken to protect IT
and data from unauthorized access and other cyber threats, to
maintain awareness of cyber
threats, to detect anomalies and incidents adversely affecting IT
and data, and to mitigate the
impact of, respond to, and recover from incidents…”
OMB Memorandum M-17-25, Reporting Guidance for Executive
Order on Strengthening the
Cybersecurity of Federal Networks and Critical Infrastructure
[OMB M-17-25] provides
implementation guidance to Federal agencies for E.O. 13800.
The memorandum states:
“… An effective enterprise risk management program promotes
a common understanding for
recognizing and describing potential risks that can impact an
agency’s mission and the delivery of
services to the public. Such risks include, but are not limited to,
strategic, market, cyber, legal,
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE vi
18. This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
reputational, political, and a broad range of operational risks
such as information security, human
capital, business continuity, and related risks…”
“… Effective management of cybersecurity risk requires that
agencies align information security
management processes with strategic, operational, and
budgetary planning processes…”
OMB Circular A-130, Managing Information as a Strategic
Resource [OMB A-130], addresses
responsibilities for protecting federal information resources and
for managing personally
identifiable information (PII). Circular A-130 requires agencies
to implement the RMF that is
described in this guideline and requires agencies to integrate
privacy into the RMF process. In
establishing requirements for information security programs and
privacy programs, the OMB
circular emphasizes the need for both programs to collaborate
on shared objectives:
“While security and privacy are independent and separate
disciplines, they are closely related, and it is
essential for agencies to take a coordinated approach to
identifying and managing security and privacy
19. risks and complying with applicable requirements….”
This update to NIST Special Publication 800-37 (Revision 2)
responds to the call by the Defense
Science Board, the Executive Order, and the OMB policy
memorandum to develop the next-
generation Risk Management Framework (RMF) for information
systems, organizations, and
individuals.
There are seven major objectives for this update:
• To provide closer linkage and communication between the risk
management processes and
activities at the C-suite or governance level of the organization
and the individuals,
processes, and activities at the system and operational level of
the organization;
• To institutionalize critical risk management preparatory
activities at all risk management
levels to facilitate a more effective, efficient, and cost-effective
execution of the RMF;
• To demonstrate how the NIST Cybersecurity Framework
[NIST CSF] can be aligned with the
RMF and implemented using established NIST risk management
processes;
• To integrate privacy risk management processes into the RMF
to better support the privacy
protection needs for which privacy programs are responsible;
• To promote the development of trustworthy secure software
and systems by aligning life
cycle-based systems engineering processes in NIST Special
20. Publication 800-160, Volume 1
[SP 800-160 v1], with the relevant tasks in the RMF;
• To integrate security-related, supply chain risk management
(SCRM) concepts into the RMF
to address untrustworthy suppliers, insertion of counterfeits,
tampering, unauthorized
production, theft, insertion of malicious code, and poor
manufacturing and development
practices throughout the SDLC; and
• To allow for an organization-generated control selection
approach to complement the
traditional baseline control selection approach and support the
use of the consolidated
control catalog in NIST Special Publication 800-53, Revision 5.
The addition of the Prepare step is one of the key changes to the
RMF—incorporated to achieve
more effective, efficient, and cost-effective security and privacy
risk management processes.
The primary objectives for institutionalizing organization-level
and system-level preparation are:
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE vii
21. This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
• To facilitate effective communication between senior leaders
and executives at the
organization and mission/business process levels and system
owners at the operational
level;
• To facilitate organization-wide identification of common
controls and the development of
organizationally-tailored control baselines, reducing the
workload on individual system
owners and the cost of system development and asset
protection;
• To reduce the complexity of the information technology (IT)
and operations technology (OT)
infrastructure using Enterprise Architecture concepts and
models to consolidate, optimize,
and standardize organizational systems, applications, and
services;
• To reduce the complexity of systems by eliminating
unnecessary functions and security and
privacy capabilities that do not address security and privacy
risk; and
• To identify, prioritize, and focus resources on the
organization’s high value assets (HVA) that
22. require increased levels of protection—taking measures
commensurate with the risk to such
assets.
By achieving the above objectives, organizations can simplify
RMF execution, employ innovative
approaches for managing risk, and increase the level of
automation when carrying out specific
tasks. Organizations implementing the RMF will be able to:
- Use the tasks and outputs of the Organization-Level and
System-Level Prepare step to
promote a consistent starting point within organizations to
execute the RMF;
- Maximize the use of common controls at the organization level
to promote standardized,
consistent, and cost-effective security and privacy capability
inheritance;
- Maximize the use of shared or cloud-based systems, services,
and applications to reduce the
number of authorizations needed across the organization;
- Employ organizationally-tailored control baselines to increase
the speed of security and
privacy plan development and the consistency of security and
privacy plan content;
- Employ organization-defined controls based on security and
privacy requirements
generated from a systems security engineering process;
- Maximize the use of automated tools to manage security
categorization; control selection,
assessment, and monitoring; and the authorization process;
23. - Decrease the level of effort and resource expenditures for low-
impact systems if those
systems cannot adversely affect higher-impact systems through
system connections;
- Maximize the reuse of RMF artifacts (e.g., security and
privacy assessment results) for
standardized hardware/software deployments, including
configuration settings;
- Reduce the complexity of the IT/OT infrastructure by
eliminating unnecessary systems,
system components, and services — employing the least
functionality principle; and
- Make the transition to ongoing authorization a priority and use
continuous monitoring
approaches to reduce the cost and increase the efficiency of
security and privacy programs.
Recognizing that the preparation for RMF execution may vary
from organization to organization,
achieving the above objectives can reduce the overall IT/OT
footprint and attack surface of
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
24. PAGE viii
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
organizations, promote IT modernization objectives, conserve
resources, prioritize security
activities to focus protection strategies on the most critical
assets and systems, and promote
privacy protections for individuals.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE ix
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
25. COMMON SECURITY AND PRIVACY RISK FOUNDATIONS
In developing standards and guidelines, NIST consults with
federal agencies, state, local, and
tribal governments, and private sector organizations; avoids
unnecessary and costly duplication
of effort; and ensures that its publications are complementary
with the standards and guidelines
used for the protection of national security systems. In addition
to implementing a transparent
public review process for its publications, NIST collaborates
with the Office of Management and
Budget, the Office of the Director of National Intelligence, the
Department of Defense, and the
Committee on National Security Systems, and has established a
unified risk management
framework for the federal government. This common foundation
provides the Civil, Defense,
and Intelligence Communities of the federal government and
their contractors, cost-effective,
flexible, and consistent methods and techniques to manage
security and privacy risks to
organizational operations and assets, individuals, other
organizations, and the Nation. The
unified framework also provides a strong basis for reciprocal
acceptance of assessment results
and authorization decisions and facilitates information sharing
and collaboration. NIST
continues to work with public and private sector entities to
establish mappings and relationships
between its security and privacy standards and guidelines and
those developed by external
organizations.
26. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE x
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
ACCEPTANCE OF SECURITY AND PRIVACY RISK
The Risk Management Framework addresses security and
privacy risk from two perspectives—
an information system perspective and a common controls
perspective. For an information
system, authorizing officials issue an authorization to operate or
authorization to use for the
system, accepting the security and privacy risks to the
organization’s operations and assets,
individuals, other organizations, and the Nation. For common
27. controls, authorizing officials issue
a common control authorization for a specific set of controls
that can be inherited by designated
organizational systems, accepting the security and privacy risks
to the organization’s operations
and assets, individuals, other organizations, and the Nation.
Authorizing officials also consider
the risk of inheriting common controls as part of their system
authorizations. The different types
of authorizations are described in Appendix F.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE xi
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
28. THE RMF IS TECHNOLOGY NEUTRAL
The RMF is purposefully designed to be technology neutral so
that the methodology can be
applied to any type of information system* without
modification. While the specific controls
selected, control implementation details, and control assessment
methods and objects may vary
with different types of IT resources, there is no need to adjust
the RMF process to accommodate
specific technologies.
All information systems process, store, or transmit some type of
information. For example,
information about the temperature in a remote facility collected
and transmitted by a sensor to
a monitoring station, location coordinates transmitted by radio
to a controller on a weapons
system, photographic images transmitted by a remote camera
(land/satellite-based) to a server,
or health IT devices transmitting patient information via a
hospital network, require protection.
This information can be protected by: categorizing the
information to determine the impact of
loss; assessing whether the processing of the information could
impact individuals’ privacy; and
selecting and implementing controls that are applicable to the
IT resources in use. Therefore,
cloud-based systems, industrial/process control systems,
weapons systems, cyber-physical
systems, applications, IoT devices, or mobile devices/systems,
do not require a separate risk
management process but rather a tailored set of controls and
specific implementation details
determined by applying the existing RMF process.
29. The RMF is applied iteratively, as applicable, during the system
development life cycle for any
type of system development approach (including Agile and
DevOps approaches). The security
and privacy requirements and controls are implemented,
verified, and validated as development
progresses throughout the life cycle. This flexibility allows the
RMF to support rapid technology
cycles, innovation, and the use of current best practices in
system and system component
development.
* Note: The publication pertains to information systems, which
are discrete sets of information resources
organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of
information, whether such information is in digital or non-
digital form. Information resources include
information and related resources, such as personnel,
equipment, funds, and information technology.
Therefore, information systems may or may not include
hardware, firmware, and software.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE xii
30. This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
USE OF AUTOMATION IN THE EXECUTION OF THE RMF
Organizations should maximize the use of automation, wherever
possible, to increase the speed,
effectiveness, and efficiency of executing the steps in the Risk
Management Framework (RMF).
Automation is particularly useful in the assessment and
continuous monitoring of controls, the
preparation of authorization packages for timely decision-
making, and the implementation of
ongoing authorization approaches—together facilitating a real-
time or near real-time risk-based
decision-making process for senior leaders. Organizations have
significant flexibility in deciding
when, where, and how to use automation or automated support
tools for their security and
privacy programs. In some situations, automated assessments
and monitoring of controls may
not be possible or feasible.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
31. A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE xiii
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
SCOPE AND APPLICABILITY
This publication is intended to help organizations manage
security and privacy risk, and to satisfy
the requirements in the Federal Information Security
Modernization Act of 2014 (FISMA), the
Privacy Act of 1974, OMB policies, and Federal Information
Processing Standards, among other
laws, regulations, and policies. The scope of this publication
pertains to federal information
systems, which are discrete sets of information resources
organized for the collection,
processing, maintenance, use, sharing, dissemination, or
disposition of information, whether
such information is in digital or non-digital form. Information
resources include information and
related resources, such as personnel, equipment, funds, and
information technology.
32. While mandatory for federal government use, the RMF can be
applied to any type of nonfederal
organization (e.g., business, industry, academia). As such,
State, local, and tribal governments,
as well as private sector organizations are encouraged to use
these guidelines on a voluntary
basis, as appropriate. In addition, nonfederal organizations that
have adopted and implemented
the Cybersecurity Framework might find value in using the
RMF as a risk management process
for execution of the Framework—providing the essential tasks
for control implementation,
assessment, and monitoring, as well as system authorizations
(for risk-based decision making).
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE xiv
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
33. MANAGING RISK
Using the Cybersecurity Framework
Executive Order (E.O.) 13800 requires federal agencies to
modernize their IT infrastructure and
systems and recognizes the increasing interconnectedness of
federal information systems and
networks. The E.O. also requires heads of agencies to manage
risk at the agency level and across
the Executive Branch using the Framework for Improving
Critical Infrastructure Cybersecurity
(i.e., Cybersecurity Framework). And finally, the E.O.
reinforces the Federal Information Security
Modernization Act (FISMA) of 2014 by holding heads of
agencies responsible and accountable
for managing the cybersecurity risk to their organizations.
The Cybersecurity Framework is adaptive to provide a flexible
and risk-based implementation
that can be used with a broad array of cybersecurity risk
management processes. Therefore,
consistent with OMB Memorandum M-17-25, the federal
implementation of the Cybersecurity
Framework fully supports the use of and is consistent with the
risk management processes and
approaches defined in [SP 800-39] and NIST Special
Publication 800-37. This allows agencies to
meet their concurrent obligations to comply with the
requirements of FISMA and E.O. 13800.
Each task in the RMF includes references to specific sections in
the Cybersecurity Framework.
34. For example, Task P-2, Risk Management Strategy, aligns with
the Cybersecurity Framework
Core [Identify Function]; Task P-4, Organizationally-Tailored
Control Baselines and Cybersecurity
Framework Profiles, aligns with the Cybersecurity Framework
Profile construct; and Task R-5,
Authorization Reporting, and Task M-5, Security and Privacy
Reporting, support OMB reporting
and risk management requirements organization-wide by using
the Cybersecurity Framework
constructs of Functions, Categories, and Subcategories. The
Subcategory mappings to the [SP
800-53] controls are available at:
https://www.nist.gov/cyberframework/federal-resources.
https://www.nist.gov/cyberframework/federal-resources
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE xv
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
35. SECURITY AND PRIVACY IN THE RMF
Organizations are encouraged to collaborate on the plans,
assessments, and plans of action and
milestones (POAM) for security and privacy issues to maximize
efficiency and reduce duplication
of effort. The objective is to ensure that security and privacy
requirements derived from laws,
executive orders, directives, regulations, policies, standards, or
missions and business functions
are adequately addressed, and the appropriate controls are
selected, implemented, assessed,
and monitored on an ongoing basis. The authorization decision,
a key step in the RMF, depends
on the development of credible and actionable security and
privacy evidence generated for the
authorization package. Creating such evidence in a cost-
effective and efficient manner is
important.
The unified and collaborative approach to bring security and
privacy evidence together in a
single authorization package will support authorizing officials
with critical information from
security and privacy professionals to help inform the
authorization decision. In the end, it is not
about generating additional paperwork, artifacts, or
documentation. Rather, it is about ensuring
greater visibility into the implementation of security and
privacy controls which will promote
more informed, risk-based authorization decisions.
36. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE xvi
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Table of Contents
CHAPTER ONE INTRODUCTION
...............................................................................................
....... 1
1.1 BACKGROUND
...............................................................................................
..................................... 2
1.2 PURPOSE AND APPLICABILITY
...............................................................................................
.............. 3
1.3 TARGET AUDIENCE
...............................................................................................
............................... 4
1.4 ORGANIZATION OF THIS PUBLICATION
...............................................................................................
5
37. CHAPTER TWO THE FUNDAMENTALS
............................................................................................ 6
2.1 ORGANIZATION-WIDE RISK MANAGEMENT
....................................................................................... 6
2.2 RISK MANAGEMENT FRAMEWORK STEPS AND
STRUCTURE .............................................................. 8
2.3 INFORMATION SECURITY AND PRIVACY IN THE
RMF ........................................................................ 13
2.4 SYSTEM AND SYSTEM
ELEMENTS............................................................................
.......................... 15
2.5 AUTHORIZATION BOUNDARIES
...............................................................................................
......... 17
2.6 REQUIREMENTS AND CONTROLS
...............................................................................................
....... 18
2.7 SECURITY AND PRIVACY POSTURE
...............................................................................................
..... 19
2.8 SUPPLY CHAIN RISK MANAGEMENT
.................................................................................. .............
.. 20
CHAPTER THREE THE PROCESS
...............................................................................................
..... 23
3.1 PREPARE
....................................................................................... ........
............................................ 28
3.2
CATEGORIZE.........................................................................
............................................................. 46
3.3 SELECT
...............................................................................................
38. ............................................... 50
3.4 IMPLEMENT
...............................................................................................
....................................... 58
3.5 ASSESS
...............................................................................................
............................................... 61
3.6 AUTHORIZE
...............................................................................................
........................................ 69
3.7 MONITOR
...............................................................................................
........................................... 76
APPENDIX A REFERENCES
...............................................................................................
............. 84
APPENDIX B GLOSSARY
...............................................................................................
................. 90
APPENDIX C ACRONYMS
...............................................................................................
............. 112
APPENDIX D ROLES AND RESPONSIBILITIES
............................................................................... 114
APPENDIX E SUMMARY OF RMF TASKS
..................................................................................... 126
APPENDIX F SYSTEM AND COMMON CONTROL
AUTHORIZATIONS .......................................... 139
APPENDIX G AUTHORIZATION BOUNDARY
CONSIDERATIONS .................................................. 157
APPENDIX H SYSTEM LIFE CYCLE CONSIDERATIONS
.................................................................. 162
39. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
PAGE xvii
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Errata
This table contains changes that have been incorporated into
Special Publication 800-37. Errata
updates can include corrections, clarifications, or other minor
changes in the publication that
are either editorial or substantive in nature.
DATE TYPE CHANGE PAGE
40. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
41. A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER ONE PAGE 1
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
CHAPTER ONE
INTRODUCTION
THE NEED TO MANAGE SECURITY AND PRIVACY RISK
rganizations depend on information systems1 to carry out their
missions and business
functions. The success of the missions and business functions
depends on protecting the
confidentiality, integrity, availability of information processed,
stored, and transmitted
by those systems and the privacy of individuals. The threats to
information systems include
equipment failure, environmental disruptions, human or
machine errors, and purposeful attacks
that are often sophisticated, disciplined, well-organized, and
well-funded.2 When successful,
attacks on information systems can result in serious or
catastrophic damage to organizational
operations3 and assets, individuals, other organizations, and the
42. Nation.4 Therefore, it is
imperative that organizations remain vigilant and that senior
executives, leaders, and managers
throughout the organization understand their responsibilities
and are accountable for
protecting organizational assets and for managing risk.5
In addition to the responsibility to protect organizational assets
from the threats that exist in
today’s environment, organizations have a responsibility to
consider and manage the risks to
individuals when information systems process personally
identifiable information (PII).6 7 The
information security and privacy programs implemented by
organizations have complementary
objectives with respect to managing the confidentiality,
integrity, and availability of PII. While
many privacy risks arise from unauthorized activities that lead
to the loss of confidentiality,
integrity, or availability of PII, other privacy risks result from
authorized activities involving the
creation, collection, use, processing, storage, maintenance,
dissemination, disclosure, or
disposal of PII that enables an organization to meet its mission
or business objectives. For
example, organizations could fail to provide appropriate notice
of PII processing depriving an
individual of knowledge of such processing or an individual
could be embarrassed or stigmatized
1 An information system is a discrete set of information
resources organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of
information [44 USC 3502]. The term information system
includes, for example, general-purpose computing systems;
43. industrial/process control systems; cyber-physical
systems; weapons systems; super computers; command, control,
and communications systems; devices such as smart
phones and tablets; environmental control systems; embedded
devices/sensors; and paper-based systems.
2 Defense Science Board Task Force Report, Resilient Military
Systems and the Advanced Cyber Threat [DSB 2013].
3 Organizational operations include mission, functions, image,
and reputation.
4 Adverse impacts include, for example, compromises to
systems supporting critical infrastructure applications or that
are paramount to government continuity of operations as
defined by the Department of Homeland Security.
5 Risk is a measure of the extent to which an entity is
threatened by a potential circumstance or event. Risk is also a
function of the adverse impacts that arise if the circumstance or
event occurs, and the likelihood of occurrence. Types
of risk include program risk; compliance/regulatory risk;
financial risk; legal risk; mission/business risk; political risk;
security and privacy risk (including supply chain risk); project
risk; reputational risk; safety risk; strategic planning risk.
6 [OMB A-130] defines PII as “information that can be used to
distinguish or trace an individual’s identity, either alone
or when combined with other information that is linked or
linkable to a specific individual.”
7 Organizations may also choose to consider risks to individuals
that may arise from interactions with information
systems, where the processing of PII may be less impactful than
the effect the system has on individuals’ behavior or
activities. Such effects would constitute risks to individual
autonomy and organizations may need to take steps to
manage those risks in addition to information security and
privacy risks.
O
44. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER ONE PAGE 2
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
by the authorized disclosure of PII. While managing privacy
risk requires close coordination
between information security and privacy programs due to the
complementary nature of the
programs’ objectives around the confidentiality, integrity, and
availability of PII, privacy risks
also raise distinct concerns that require specialized expertise
and approaches. Therefore, it is
critical that organizations also establish and maintain robust
privacy programs to ensure
compliance with applicable privacy requirements and to manage
the risk to individuals
associated with the processing of PII.
45. Closely related to, and a part of security and privacy risks,
supply chain risk8 is also of growing
concern to organizations. Because of the increased reliance on
third-party or external providers
and commercial-off-the-shelf products, systems, and services,
attacks or disruptions in the
supply chain which impact an organization’s systems are
increasing. Such attacks can be difficult
to trace or manage and can result in serious, severe, or
catastrophic consequences for an
organization’s systems. Supply chain risk management (SCRM)
overlaps and works in harmony
with security and privacy risk management. This publication
integrates security and privacy risk
management practices associated with SCRM into the RMF to
help promote a comprehensive
approach to managing security and privacy risk. While the
publication is principally focused on
managing information security and privacy risk, SCRM
concepts that support security and
privacy risk management are specifically called out in several
areas to add emphasis and to
clarify how they can be addressed using the RMF.
1.1 BACKGROUND
NIST in its partnership with the Department of Defense, the
Office of the Director of National
Intelligence, and the Committee on National Security Systems,
developed a Risk Management
Framework (RMF) to improve information security, strengthen
risk management processes, and
encourage reciprocity9 among organizations. In July 2016, the
Office of Management and
Budget (OMB) revised Circular A-130 to include
responsibilities for privacy programs under the
RMF.
46. The RMF emphasizes risk management by promoting the
development of security and privacy
capabilities into information systems throughout the system
development life cycle (SDLC);10 by
maintaining situational awareness of the security and privacy
posture of those systems on an
ongoing basis through continuous monitoring processes; and by
providing information to senior
leaders and executives to facilitate decisions regarding the
acceptance of risk to organizational
operations and assets, individuals, other organizations, and the
Nation arising from the use and
operation of their systems. The RMF:
• Provides a repeatable process designed to promote the
protection of information and
information systems commensurate with risk;
• Emphasizes organization-wide preparation necessary to
manage security and privacy risks;
8 SCRM requirements are promulgated in [OMB A-130], [DODI
5200.44], and for national security systems in [CNSSD
505]. SCRM requirements have also been addressed by the
Federal SCRM Policy Coordinating Committee.
9 Reciprocity is an agreement between organizations to accept
one another’s security assessment results in order to
reuse system resources or to accept each other’s assessed
security posture in order to share information.
10 [SP 800-64] and [SP 800-160 v1] provide guidance on
security considerations in the SDLC.
47. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER ONE PAGE 3
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
• Facilitates the categorization of information and systems, the
selection, implementation,
assessment, and monitoring of controls, and the authorization of
information systems and
common controls;11
• Promotes the use of automation for near real-time risk
management and ongoing system
and control authorization through the implementation of
continuous monitoring processes;
• Encourages the use of correct and timely metrics to provide
senior leaders and managers
with the necessary information to make cost-effective, risk-
based decisions for information
48. systems supporting their missions and business functions;
• Facilitates the integration of security and privacy
requirements12 and controls into
enterprise architecture,13 SDLC, acquisition processes, and
systems engineering processes;
• Connects risk management processes at the organization and
mission/business process
levels to risk management processes at the information system
level through a senior
accountable official for risk management and risk executive
(function);14 and
• Establishes responsibility and accountability for controls
implemented within information
systems and inherited by those systems.
The RMF provides a dynamic and flexible approach to
effectively manage security and privacy
risks in diverse environments with complex and sophisticated
threats, evolving missions and
business functions, and changing system and organizational
vulnerabilities. The framework is
policy and technology neutral, which facilitates ongoing
upgrades to IT resources15 and to IT
modernization efforts—to support and help ensure essential
missions and services are provided
during such transition periods.
1.2 PURPOSE AND APPLICABILITY
This publication describes the RMF and provides guidelines for
managing security and privacy
risks and applying the RMF to information systems and
organizations. The guidelines have been
developed:
49. • To ensure that managing system-related security and privacy
risk is consistent with the
mission and business objectives of the organization and risk
management strategy
established by the senior leadership through the risk executive
(function);
• To achieve privacy protections for individuals and security
protections for information and
information systems through the implementation of appropriate
risk response strategies;
• To support consistent, informed, and ongoing authorization
decisions,16 reciprocity, and the
transparency and traceability of security and privacy
information;
11 Chapter 3 describes the seven steps and associated tasks in
the RMF.
12 Section 2.6 describes the relationship between requirements
and controls with respect to RMF execution.
13 [OMB FEA] provides guidance on the Federal Enterprise
Architecture.
14 [OMB M-17-25] provides guidance on risk management roles
and responsibilities.
15 IT resources refer to the information technology component
of information resources defined in [OMB A-130].
16 [SP 800-137] provides guidance on information security
continuous monitoring supporting ongoing authorization.
Future publications will address privacy continuous monitoring.
50. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER ONE PAGE 4
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
• To facilitate the integration of security and privacy
requirements and controls into the
enterprise architecture, SDLC processes, acquisition processes,
and systems engineering
processes;17 and
• To facilitate the implementation of the Framework for
Improving Critical Infrastructure
Cybersecurity [NIST CSF] within federal agencies.18
This publication is intended to help organizations19 manage
security and privacy risk and to
satisfy the requirements in the Federal Information Security
Modernization Act of 2014 [FISMA],
the Privacy Act of 1974 [PRIVACT], OMB policies, and
designated Federal Information Processing
Standards, among other laws, regulations, and policies.
51. The scope of this publication pertains to federal information
systems, which are discrete sets of
information resources organized for the collection, processing,
maintenance, use, sharing,
dissemination, or disposition of information, whether such
information is in digital or non-digital
form. Information resources include information and related
resources, such as personnel,
equipment, funds, and information technology. The guidelines
have been developed from a
technical perspective to complement guidelines for national
security systems and may be used
for such systems with the approval of appropriate federal
officials with policy authority over
such systems. State, local, and tribal governments, as well as
private sector organizations are
encouraged to use these guidelines, as appropriate.
1.3 TARGET AUDIENCE
This publication serves individuals associated with the design,
development, implementation,
assessment, operation, maintenance, and disposition of
information systems including:
• Individuals with mission or business ownership
responsibilities or fiduciary responsibilities
(e.g., and heads of federal agencies);
• Individuals with information system, information security, or
privacy management,
oversight, or governance responsibilities (e.g., senior leaders,
risk executives, authorizing
officials, chief information officers, senior agency information
security officers, and senior
agency officials for privacy);
52. • Individuals responsible for conducting security or privacy
assessments and for monitoring
information systems, for example, control assessors, auditors,
and system owners;
• Individuals with security or privacy implementation and
operational responsibilities, for
example, system owners, common control providers,
information owners/stewards, mission
or business owners, security or privacy architects, and systems
security or privacy engineers;
• Individuals with information system development and
acquisition responsibilities (e.g.,
program managers, procurement officials, component product
and system developers,
systems integrators, and enterprise architects); and
17 [SP 800-160 v1] provides guidance on systems security
engineering and building trustworthy, secure systems.
18 [EO 13800] directs federal agencies to use the [NIST CSF]
to manage cybersecurity risk.
19 The term organization is used in this publication to describe
an entity of any size, complexity, or positioning within
an organizational structure (e.g., a federal agency or, as
appropriate, any of its operational elements).
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
53. _____________________________________________________
___________________________________________
CHAPTER ONE PAGE 5
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
• Individuals with logistical or disposition-related
responsibilities (e.g., program managers,
procurement officials, system integrators, and property
managers).
For a comprehensive list and description of roles and
responsibilities associated with the RMF,
see Appendix D.
1.4 ORGANIZATION OF THIS PUBLICATION
The remainder of this special publication is organized as
follows:
• Chapter Two describes the concepts associated with managing
information system-related
security and privacy risk. This includes an organization-wide
view of risk management; the
RMF steps and task structure; the relationship between
information security and privacy
programs and how these programs are addressed in the RMF;
information resources as
system and system elements; authorization boundaries; security
54. and privacy posture; and
security and privacy considerations related to supply chain risk
management.
• Chapter Three describes the tasks required to implement the
steps in the RMF including:
organization-level and information system-level preparation;
categorization of information
and information systems; control selection, tailoring, and
implementation; assessment of
control effectiveness; information system and common control
authorization; the ongoing
monitoring of controls; and maintaining awareness of the
security and privacy posture of
information systems and the organization.
• Supporting Appendices provide additional information and
guidance for the application of
the RMF including:
- References;
- Glossary of Terms;
- Acronyms;
- Roles and Responsibilities;
- Summary of RMF Tasks;
- System and Common Control Authorizations;
- Authorization Boundary Considerations; and
- System Life Cycle Considerations.
55. NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 6
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
CHAPTER TWO
THE FUNDAMENTALS
HOW TO MANAGE SECURITY AND PRIVACY RISK
his chapter describes the basic concepts associated with
managing information system-
related security and privacy risk in organizations. These
concepts include the RMF steps
and task structure; information security and privacy programs in
the RMF; information
system, system elements, and how authorization boundaries are
established; security and
56. privacy posture; and security and privacy risk management
practices associated with the supply
chain.
2.1 ORGANIZATION-WIDE RISK MANAGEMENT
Managing information system-related security and privacy risk
is a complex undertaking that
requires the involvement of the entire organization—from
senior leaders providing the strategic
vision and top-level goals and objectives for the organization,
to mid-level leaders planning,
executing, and managing projects, to individuals developing,
implementing, operating, and
maintaining the systems supporting the organization’s missions
and business functions. Risk
management is a holistic activity that affects every aspect of the
organization including the
mission and business planning activities, the enterprise
architecture, the SDLC processes, and
the systems engineering activities that are integral to those
system life cycle processes. Figure 1
illustrates a multi-level approach to risk management described
in [SP 800-39] that addresses
security and privacy risk at the organization level, the
mission/business process level, and the
information system level. Communication and reporting are bi-
directional information flows
across the three levels to ensure that risk is addressed
throughout the organization.
57. FIGURE 1: ORGANIZATION-WIDE RISK MANAGEMENT
APPROACH
T
LEVEL ONE
ORGANIZATION
LEVEL TWO
MISSION/BUSINESS PROCESS
LEVEL THREE
INFORMATION SYSTEM
COMMUNICATION
AND REPORTING
RISK MANAGEMENT
ACROSS LEVELS
More detailed and granular risk perspective.
Broad-based risk perspective.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
58. _____________________________________________________
___________________________________________
CHAPTER TWO PAGE 7
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
The activities conducted at Levels 1 and 2 are critical to
preparing the organization to execute
the RMF. Such preparation involves a wide range of activities
that go beyond simply managing
the security and privacy risk associated with operating or using
specific systems and includes
activities that are essential to managing security and privacy
risk appropriately throughout the
organization. Decisions about how to manage such risk at the
system level cannot be made in
isolation. Such decisions are closely linked to the:
• Mission or business objectives of organizations;
• Modernization initiatives for systems, components, and
services;
• Enterprise architecture and the need to manage and reduce the
complexity20 of systems
through consolidation, optimization, and standardization;21 and
• Allocation of resources to ensure the organization can conduct
59. its missions and business
operations effectively, efficiently, and in a cost-effective
manner.
Preparing the organization to execute the RMF can include:
• Assigning roles and responsibilities for organizational risk
management processes;
• Establishing a risk management strategy and organizational
risk tolerance;
• Identifying the missions, business functions, and
mission/business processes the
information system is intended to support;
• Identifying key stakeholders (internal and external to the
organization) that have an interest
in the information system;
• Identifying and prioritizing assets (including information
assets);
• Understanding threats to information systems and
organizations;
• Understanding the potential adverse effects on individuals;
• Conducting organization- and system-level risk assessments;
• Identifying and prioritizing security and privacy
requirements;22
• Determining authorization boundaries for information systems
and common controls;23
60. • Defining information systems in terms of the enterprise
architecture;
• Developing the security and privacy architectures that include
controls suitable for
inheritance by information systems;
20 Managing complexity of systems through consolidation,
optimization, and standardization reduces the attack
surface and technology footprint exploitable by adversaries.
21 Enterprise architecture defines the mission, information, and
the technologies necessary to perform the mission,
and transitional processes for implementing new technologies in
response to changing mission needs. It also includes
a baseline architecture, a target architecture, and a sequencing
plan. [OMB FEA] provides guidance for implementing
enterprise architectures.
22 Security and privacy requirements can be obtained from
many sources (e.g., laws, executive orders, directives,
regulations, policies, standards, and
mission/business/operational requirements).
23 Authorization boundaries determine the scope of
authorizations for information systems and common controls
(i.e., the system elements that define the system or the set of
common controls available for inheritance).
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
61. CHAPTER TWO PAGE 8
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
• Identifying, aligning, and deconflicting security and privacy
requirements; and
• Allocating security and privacy requirements to information
systems, system elements, and
organizations.
In contrast to the Level 1 and 2 activities that prepare the
organization for the execution of the
RMF, Level 3 addresses risk from an information system
perspective and is guided and informed
by the risk decisions at the organization and mission/business
process levels. The risk decisions
at Levels 1 and 2 can impact the selection and implementation
of controls at the system level.
Controls are designated by the organization as system-specific,
hybrid, or common (inherited)
controls in accordance with the enterprise architecture, security
or privacy architecture, and any
tailored control baselines or overlays that have been developed
by the organization.24
Organizations establish traceability of controls to the security
and privacy requirements that the
62. controls are intended to satisfy. Establishing such traceability
ensures that all requirements are
addressed during system design, development, implementation,
operations, maintenance, and
disposition.25 Each level of the risk management hierarchy is a
beneficiary of a successful RMF
execution—reinforcing the iterative nature of the risk
management process where security and
privacy risks are framed, assessed, responded to, and monitored
at various organizational levels.
Without adequate risk management preparation at the
organizational level, security and privacy
activities can become too costly, demand too many skilled
security and privacy professionals,
and produce ineffective solutions. For example, organizations
that fail to implement an effective
enterprise architecture will have difficulty in consolidating,
optimizing, and standardizing their
information technology infrastructures. Additionally, the effect
of architectural and design
decisions can adversely affect the ability of organizations to
implement effective security and
privacy solutions. A lack of adequate preparation by
organizations could result in unnecessary
redundancy as well as inefficient, costly and vulnerable
systems, services, and applications.
2.2 RISK MANAGEMENT FRAMEWORK STEPS AND
STRUCTURE
There are seven steps in the RMF; a preparatory step to ensure
that organizations are ready to
execute the process and six main steps. All seven steps are
essential for the successful execution
of the RMF. The steps are:
63. • Prepare to execute the RMF from an organization- and a
system-level perspective by
establishing a context and priorities for managing security and
privacy risk.
• Categorize the system and the information processed, stored,
and transmitted by the
system based on an analysis of the impact of loss.26
24 Controls can be allocated at all three levels in the risk
management hierarchy. For example, common controls may
be allocated at the organization, mission/business process, or
information system level.
25 [SP 800-160 v1] provides guidance on requirements
engineering and traceability.
26 Impact of loss is one of four risk factors considered during
risk assessment activities—the other three factors being
threats, vulnerabilities, and likelihood of occurrence [SP 800-
30]. Organizations leverage risk assessment results when
categorizing information and systems. For national security
systems, it may be important to consider specific issues
affecting risk factors as part of categorization, such as, whether
the system processes, stores, or transmits classified
or intelligence information; whether the system will be accessed
directly or indirectly by non-U.S. personnel; and
whether the information processed, stored, or transmitted by the
system will cross security domains. [CNSSI 1253]
provides additional information on categorizing national
security systems.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
64. A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 9
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
• Select an initial set of controls for the system and tailor the
controls as needed to reduce
risk to an acceptable level based on an assessment of risk.
• Implement the controls and describe how the controls are
employed within the system and
its environment of operation.
• Assess the controls to determine if the controls are
implemented correctly, operating as
intended, and producing the desired outcomes with respect to
satisfying the security and
privacy requirements.
• Authorize the system or common controls based on a
determination that the risk to
organizational operations and assets, individuals, other
organizations, and the Nation is
acceptable.
65. • Monitor the system and the associated controls on an ongoing
basis to include assessing
control effectiveness, documenting changes to the system and
environment of operation,
conducting risk assessments and impact analyses, and reporting
the security and privacy
posture of the system.
Figure 2 illustrates the steps in the RMF. The RMF operates at
all levels in the risk management
hierarchy illustrated in Figure 1. Chapter Three provides a
detailed description of each of the
tasks necessary to carry out the steps in the RMF.
FIGURE 2: RISK MANAGEMENT FRAMEWORK
While the RMF steps are listed in sequential order above and in
Chapter Three, the steps
following the Prepare step can be carried out in a nonsequential
order. After completing the
tasks in the Prepare step, organizations executing the RMF for
66. the first time for a system or set
CATEGORIZE
AUTHORIZE
MONITOR
IMPLEMENT
SELECT
ASSESS
PREPARE
Process Initiation
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 10
67. This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
of common controls typically carry out the remaining steps in
sequential order. However, there
could be many points in the risk management process where
there is a need to diverge from the
sequential order due to the type of system, risk decisions made
by senior leadership, or to allow
for iterative cycles between tasks or revisiting of tasks (e.g.,
during agile development). Once the
organization is in the Monitor step, events may dictate a
nonsequential execution of steps. For
example, changes in risk or in system functionality may
necessitate revisiting one or more of the
steps in the RMF to address the change.
68. Although the risk management approach in Figure 1 is conveyed
as hierarchical, project and
organization dynamics are typically more complex. The risk
management approach selected by
an organization may vary on a continuum from top-down
command to decentralized consensus
among peers. However, in all cases, organizations use a
consistent approach that is applied to
risk management processes organization-wide from the
organization level to the information
system level. Organizational officials identify and secure the
needed resources to complete the
risk management tasks described in this publication and ensure
that those resources are made
available to the appropriate personnel. Resource allocation
includes funding to conduct risk
management tasks and assigning qualified personnel that are
needed to accomplish the tasks.
Each step in the RMF has a purpose statement, a defined set of
outcomes, and a set of tasks that
are carried out to achieve those outcomes. The outcomes can be
achieved by different risk
FLEXIBILITY IN RMF IMPLEMENTATION
Organizations are expected to execute all steps and tasks in the
RMF (apart from tasks labeled
as optional). However, organizations have significant flexibility
in how each of the RMF steps
and tasks are carried out, as long as organizations are meeting
all applicable requirements and
effectively managing security and privacy risk. The intent is to
69. allow organizations to implement
the RMF in the most efficient, effective, and cost-effective
manner to support mission and
business needs in a way that promotes effective security and
privacy. Flexible implementation
may include executing tasks in a different (potentially
nonsequential) order, emphasizing certain
tasks over other tasks, or combining certain tasks where
appropriate. It can also include the use
of the Cybersecurity Framework to enhance RMF task
execution.
Flexibility of implementation can also be applied to control
selection, control tailoring to meet
organizational security and privacy needs, or conducting control
assessments throughout the
SDLC. For example, the selection, tailoring, implementation,
and assessments of controls can be
done incrementally as a system is being developed. The
implementation of control tailoring
helps to ensure that security and privacy solutions are
customized for the specific missions,
business functions, risks, and operating environments of the
organization. In the end, the
flexibility inherent in RMF execution promotes effective
security and privacy that helps to
protect the systems that organizations depend on for mission
and business success and the
individuals whose information is processed by those systems.
Note: Since the RMF is an SDLC process that emphasizes
ongoing authorization, organizations have the flexibility
to determine which RMF step to enter (or reenter) based on an
assessment of risk and the tasks described in the
Prepare—System Level step. Determination of the appropriate
RMF step requires an assessment of the current
70. state of the system, a review of the activities that have already
been completed for the system, identification of
a proposed step and task entry into the RMF, a gap analysis to
ensure that the risk is acceptable, documenting
decisions, notifying stakeholders, and approval from the
Authorizing Official (or other relevant decision maker).
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 11
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
management levels—that is, some of the outcomes are universal
to the entire organization,
while others are system-focused or mission/business unit-
focused. Figure 3 provides an example
of the purpose statement and outcomes for the RMF Prepare
step—Organization-Level.
71. FIGURE 3: RISK MANAGEMENT FRAMEWORK TASK
STRUCTURE
3.1 PREPARE
PREPARE TASKS—ORGANIZATION LEVEL
Table 1 provides a summary of tasks and expected outcomes for
the RMF Prepare
step at the organization level. Applicable Cybersecurity
Framework constructs are also
provided.
72. TABLE 1: PREPARE TASKS AND OUTCOMES—
ORGANIZATION LEVEL
Tasks Outcomes
TASK P-1
RISK MANAGEMENT ROLES
• Individuals are identified and assigned key roles for
executing the Risk Management Framework.
[Cybersecurity Framework: ID.AM-6; ID.GV-2]
TASK P-2
RISK MANAGEMENT STRATEGY
• A risk management strategy for the organization that
includes a determination and expression of organizational
risk tolerance is established.
[Cybersecurity Framework: ID.RM; ID.SC]
TASK P-3
RISK ASSESSMENT—ORGANIZATION
• An organization-wide risk assessment is completed or an
existing risk assessment is updated.
[Cybersecurity Framework: ID.RA; ID.SC-2]
TASK P-4
ORGANIZATIONALLY-TAILORED CONTROL
BASELINES AND CYBERSECURITY
FRAMEWORK PROFILES (OPTIONAL)
• Organizationally-tailored control baselines and/or
Cybersecurity Framework Profiles are established and
made available.
[Cybersecurity Framework: Profile]
73. TASK P-5
COMMON CONTROL IDENTIFICATION
• Common controls that are available for inheritance by
organizational systems are identified, documented, and
published.
TASK P-6
IMPACT-LEVEL PRIORITIZATION
(OPTIONAL)
• A prioritization of organizational systems with the same
impact level is conducted.
[Cybersecurity Framework: ID.AM-5]
TASK P-7
CONTINUOUS MONITORING STRATEGY—
ORGANIZATION
• An organization-wide strategy for monitoring control
effectiveness is developed and implemented.
[Cybersecurity Framework: DE.CM; ID.SC-4]
Quick link to summary table for RMF tasks, responsibilities,
and supporting roles.
Purpose
The purpose of the Prepare step is to carry out essential
activities at the organization,
mission and business process, and information system levels of
the organization to
help prepare the organization to manage its security and privacy
risks using the Risk
74. Management Framework.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 12
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Each task contains a set of potential inputs needed to execute
the task and a set of expected
outputs generated from task execution.27 In addition, each task
describes the risk management
roles and responsibilities associated with the task and the phase
of the SDLC where task
execution occurs.28 A discussion section provides information
related to the task to facilitate
understanding and to promote effective task execution. Finally,
completing the RMF task
description, there is a list of references to provide organizations
with supplemental information
for each task. Where applicable, the references also identify
75. systems security engineering tasks
that correlate with the RMF task.29 Figure 4 illustrates the
structure of a typical RMF task.
FIGURE 4: RISK MANAGEMENT FRAMEWORK TASK
STRUCTURE
27 The potential inputs for a task may not always be derived
from the expected outputs from the previous task. This
can occur because the RMF steps are not always executed in
sequential order, breaking the sequential dependencies.
28 Appendix D provides a description of each of the roles and
responsibilities identified in the tasks.
29 [SP 800-160 v1] describes life cycle-based systems security
engineering processes.
RISK ASSESSMENT—ORGANIZATION
TASK P-3 Assess organization-wide security and privacy risk
and update the risk assessment
results on an ongoing basis.
Potential Inputs: Risk management strategy; mission or
business objectives; current threat
information; system-level security and privacy risk assessment
results; supply chain risk
assessment results; previous organization-level security and
privacy risk assessment results;
information sharing agreements or memoranda of
understanding; security and privacy
information from continuous monitoring.
Expected Outputs: Organization-level risk assessment results.
76. Primary Responsibility: Senior Accountable Official for Risk
Management or Risk Executive
(Function); Senior Agency Information Security Officer; Senior
Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or
Business Owner; Authorizing Official or
Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level
leverages aggregated information from
system-level risk assessment results, continuous monitoring,
and any strategic risk considerations
relevant to the organization. The organization considers the
totality of risk from the operation and
use of its information systems, from information exchange and
connections with other internally
and externally owned systems, and from the use of external
providers. For example, the
organization may review the risk related to its enterprise
architecture and information systems of
varying impact levels residing on the same network and whether
higher impact systems are
segregated from lower impact systems or systems operated and
maintained by external providers.
The organization may also consider the variability of
environments that may exist within the
organization (e.g., different locations serving different
missions/business processes) and the need
to account for such variability in risk assessments. Risk
assessments of the organization’s supply
chain may be conducted as well. Risk assessment results may be
used to help organizations
establish a Cybersecurity Framework Profile.
References: [SP 800-30]; [SP 800-39] (Organization Level,
77. Mission/Business Process Level); [SP
800-161]; [IR 8062].
Task
Abbreviation
Prepare Step
Task 3
Explanatory
information to
facilitate
understanding
Artifacts, results, or conditions
after task execution
NIST publication sources for additional information to support
task execution
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 13
This publication is available free of charge from
: https://doi.org/10.6028/N
79. Executing the RMF requires close collaboration between
information security programs and
privacy programs. While information security programs and
privacy programs have different
objectives, those objectives are overlapping and complementary.
Information security programs
are responsible for protecting information and information
systems from unauthorized access,
use, disclosure, disruption, modification, or destruction (i.e.,
unauthorized system activity or
behavior) in order to provide confidentiality, integrity, and
availability. Privacy programs are
responsible for ensuring compliance with applicable privacy
requirements and for managing the
risks to individuals associated with the creation, collection, use,
processing, dissemination,
storage, maintenance, disclosure, or disposal (collectively
referred to as “processing”) of PII.30
When preparing to execute the steps of the RMF, organizations
consider how to best promote
and institutionalize collaboration between the two programs to
ensure that the objectives of
both disciplines are met at every step of the process.
30 Privacy programs may also choose to consider the risks to
individuals that may arise from their interactions with
information systems, where the processing of PII may be less
impactful than the effect the system has on individuals’
behavior or activities. Such effects would constitute risks to
individual autonomy and organizations may need to take
steps to manage those risks in addition to information security
and privacy risks.
OMB CIRCULAR A-130: INTEGRATION OF INFORMATION
80. SECURITY AND PRIVACY
In 2016, OMB revised Circular A-130, the circular establishing
general policy for the planning,
budgeting, governance, acquisition, and management of federal
information, personnel,
equipment, funds, information technology resources, and
supporting infrastructure and
services. The circular addresses responsibilities for protecting
federal information resources and
managing personally identifiable information (PII). In
establishing requirements for information
security programs and privacy programs, the circular
emphasizes the need for both programs to
collaborate on shared objectives:
While security and privacy are independent and separate
disciplines, they are closely related,
and it is essential for agencies to take a coordinated approach to
identifying and managing
security and privacy risks and complying with applicable
requirements.
[OMB A-130] requires organizations to implement the RMF that
is described in this guideline.
With the 2016 revision to the circular, OMB also requires
organizations to integrate privacy into
the RMF process:
The RMF provides a disciplined and structured process that
integrates information security,
privacy, and risk management activities into the SDLC. This
Circular requires organizations to
use the RMF to manage privacy risks beyond those that are
typically included under the
“confidentiality” objective of the term “information security.”
81. While many privacy risks relate
to the unauthorized access or disclosure of PII, privacy risks
may also result from other
activities, including the creation, collection, use, and retention
of PII; the inadequate quality
or integrity of PII; and the lack of appropriate notice,
transparency, or participation.
This section of the guideline describes the relationship between
information security programs
and privacy programs under the RMF. However, subject to
OMB policy, organizations retain the
flexibility to undertake the integration of privacy into the RMF
in the most effective manner,
considering the organization’s mission and circumstances.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 14
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
82. When an information system processes PII, the organization’s
information security program and
privacy program have a shared responsibility for managing the
risks to individuals that may arise
from unauthorized system activity or behavior. This requires the
two programs to collaborate
when selecting, implementing, assessing, and monitoring
security controls.31 However, while
information security programs and privacy programs have
complementary objectives with
respect to managing the confidentiality, integrity, and
availability of PII, protecting individuals’
privacy cannot be achieved solely by securing PII.
Not all privacy risks arise from unauthorized system activity or
behavior, such as unauthorized
access or disclosure of PII. Some privacy risks may result from
authorized activity that is beyond
the scope of information security. For example, privacy
programs are responsible for managing
the risks to individuals that may result from the creation,
collection, use, and retention of PII;
the inadequate quality or integrity of PII; and the lack of
appropriate notice, transparency, or
participation. Therefore, to help ensure compliance with
applicable privacy requirements and to
manage privacy risks from authorized and unauthorized
processing of PII, organizations’ privacy
programs also select, implement, assess, and monitor privacy
controls.32
[OMB A-130] defines a privacy control as an administrative,
technical, or physical safeguard
employed within an agency to ensure compliance with
applicable privacy requirements and to
83. manage privacy risks. A privacy control is different from a
security control, which the Circular
defines as a safeguard or countermeasure prescribed for an
information system or an
organization to protect the confidentiality, integrity, and
availability of the system and its
information. Due to the shared responsibility that organizations’
information security programs
and privacy programs have to manage the risks to individuals
arising from unauthorized system
activity or behavior, controls that achieve both security and
privacy objectives are both privacy
and security controls. This guideline refers to such controls that
achieve both sets of objectives
simply as “controls.” When this guideline uses the descriptors
“privacy” and “security” with the
term control, it is referring to those controls in circumstances
where the controls are selected,
implemented, and assessed for particular objectives.
The risk management processes described in this publication are
equally applicable to security
and privacy programs. However, the risks that security and
privacy programs are required to
manage are overlapping in some areas, but not in others.
Consequently, it is important that
organizations understand the interplay between privacy and
security to promote effective
collaboration between privacy and security officials at every
level of the organization.
31 For example, in Task C-2 of the Categorize step, privacy and
security programs work together to consider potential
adverse impacts to organizational operations, organizational
assets, individuals, other organizations, and the Nation
84. resulting from the loss of confidentiality, integrity, or
availability of PII in order to determine the impact level for the
information system. The resulting impact level drives the
selection of a security control baseline in Task S-1 of the
Select step.
32 Different controls may need to be selected to mitigate the
privacy risks associated with authorized processing of PII.
For example, there may be a risk that individuals would be
embarrassed or stigmatized if certain information is
disclosed about them. While encryption could prevent
unauthorized disclosure of PII, it would not address any privacy
risks related to disclosures to parties that are authorized to
decrypt and access the PII. To mitigate this privacy risk,
organizations would need to assess the risk of allowing
authorized parties to decrypt the information and potentially
select controls that would mitigate that risk. In such an
example, an organization might select controls to enable
individuals to understand the organization’s disclosure practices
and exercise choices about this access or use
differential privacy or privacy-enhancing cryptographic
techniques to disassociate the information from an individual.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
_____________________________________________________
___________________________________________
CHAPTER TWO PAGE 15
This publication is available free of charge from
85. : https://doi.org/10.6028/N
IST.S
P
.800-37r2
2.4 SYSTEM AND SYSTEM ELEMENTS
This publication uses the statutory definition of information
system for RMF execution. It is
important, however, to describe information systems in the
context of the SDLC process and
how security and privacy capabilities are implemented within
the components of those systems.
Therefore, organizations executing the RMF take a broad view
of the life cycle of information
system development to provide a contextual relationship and
linkage to architectural and
engineering concepts that allow security and privacy risks
(including supply chain risks) to be
addressed throughout the life cycle and at the appropriate level
of detail to help ensure that
such capabilities are achieved. [ISO 15288] provides an
engineering view of an information
system and the entities with which the system interacts in its
environment of operation.33
Similar to how federal law defines information system as a
discrete set of information resources
organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition
of information. [ISO 15288] defines a system as a set of
interacting elements that are organized
to achieve one or more stated purposes. Just as the information
resources that comprise an
86. information system include information and other resources
(e.g., personnel, equipment, funds,
and information technology), system elements include
technology or machine elements, human
elements, and physical or environmental elements. Each of the
system elements34 within the
system fulfills specified requirements and may be implemented
via hardware, software, or
firmware;35 physical structures or devices; or people,
processes, policies, and procedures.
Individual system elements or a combination of system elements
may satisfy stated system
requirements. Interconnections between system elements allow
those elements to interact as
necessary to produce a capability as specified by the system
requirements. Finally, every system
operates within an environment that influences the system and
its operation.
The authorization boundary defines the system36 for RMF
execution to facilitate risk
management and accountability. The system may be supported
by one or more enabling
systems that provide support during the system life cycle.
Enabling systems are not contained
within the authorization boundary of the system and do not
necessarily exist in the system’s
environment of operation. An enabling system may provide
common (i.e., inherited) controls for
the system or may include any type of service or functionality
used by the system such as
identification and authentication services, network services, or
monitoring functionality. Finally,
there are other systems the system interacts with in the
operational environment. The other
systems are also outside of the authorization boundary and may
87. be the beneficiaries of services
provided by the system or may simply have some general
interaction.37
33 [SP 800-160 v1] addresses system security engineering as
part of the SDLC.
34 The terms system element and information resource are used
interchangeably in this publication. Information
resources as defined in 44 U.S.C. Sec. 3502 include information
and related resources, such as personnel, equipment,
funds, and information technology. By law, a system is
composed of a discrete set of information resources.
35 The term system component refers to a system element that
is implemented via hardware, software, or firmware.
36 Historically, NIST has used the terms authorization boundary
and system boundary interchangeably. In the interest
of clarity, accuracy, and use of standardized terminology, the
term authorization boundary is now used exclusively to
refer to the set of system elements comprising the system to be
authorized for operation or authorized for use by an
authorizing official (i.e., the scope of the authorization).
Authorization boundary can also refer to the set of common
controls to be authorized for inheritance purposes.
37 Risk management and accountability for enabling systems
and other systems are addressed within their respective
authorization boundaries.
NIST SP 800-37, REVISION 2 RISK
MANAGEMENT FRAMEWORK FOR INFORMATION
SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
88. _____________________________________________________
___________________________________________
CHAPTER TWO PAGE 16
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Figure 5 illustrates the conceptual view of the system and the
relationships among the system,
system elements, enabling systems, other systems, and the
environment of operation.38
FIGURE 5: CONCEPTUAL VIEW OF THE SYSTEM
Certain parts of the environment of operation may be included
in the authorization boundary
(i.e., determined to be “in scope” for the authorization) while
other parts may be excluded. For
example, if the facility (i.e., environment of operation) that
provides protection for the system
elements is determined to be in scope for the authorization of
the system, the physical and
environmental protection controls (e.g., physical access controls
at entry points, perimeter
protection devices) are included in the authorization boundary
and therefore, are included in
the system security plan. If the facility provides physical and