New guidelines issued for risk management in IT system security, authorization

NIST draft guidelines harmonize how government IT systems are certified and accredited across civilian, defense and intell communities

A revised set of guidelines for authorizing government information technology systems for operation focuses on implementing a risk management process and caps a three-year effort to harmonize IT certification and accreditation (C&A) across the civilian, defense and intelligence communities.

The National Institute of Standards and Technology  (NIST) has released for comment the final draft of Special Publication 800-37 Revision 1, titled “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.”

The publication is the second in a series being developed by the Joint Task Force Transformation Initiative, a partnership among NIST, the Office of the Director of National Intelligence, the Defense Department and the Committee on National Security Systems to create a common information security framework for agencies and contractors.

“A common foundation for information security will also provide a strong basis for reciprocal acceptance of security authorization decisions and facilitate information-sharing,” NIST said of the effort.

The first publication produced under the Joint Task Force was Revision 3 of SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” released in July.

NIST called the revised version of SP 800-53 historic in that it unified security controls, reflecting the security requirements of both the national security community and the rest of government.

“NIST Special Publication 800-37, Revision 1, continues the transformation by significantly changing the traditional process employed by the federal government to certify and accredit federal information systems,” NIST said in introducing the document. Final publication of the document is expected in February.

Greater emphasis now is placed on three critical areas:

  • Building information security capabilities into systems through the application of state-of-the-practice management, operational and technical security controls
  • Maintaining awareness of the security state of systems on an ongoing basis though enhanced monitoring, and
  • Understanding and accepting the risk to operations and assets, individuals, other organizations, and the nation posed by the use of these systems.

“The risk management process described in this publication changes the traditional focus from the stovepipe, organization-centric, static-based approaches to C&A and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions,” NIST said.

NIST is charged with developing standards and specifications for compliance with the Federal Information Security Management Act, which sets out requirements for managing the security of government information systems outside the national security community. DOD and the intelligence agencies have developed their own standards and processes for national security systems. A single governmentwide approach to managing IT security could make it easier for agencies to share data and cooperate with each other and with states, foreign allies and the private sector. It also could enable reciprocity, the acceptance of other agencies’ C&A processes without requiring recertification, and streamline acquisition processes and make it easier for vendors and developers to meet a single set of standards.

In addition to harmonizing IT security standards across government, NIST also is working with the private sector to map relationships between security standards and guidelines developed by NIST and those of the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System (ISMS).

NIST said that the most significant change in the final draft of SP 800-37, Revision 1, is the transformation of the old certification and accreditation process into the six-step Risk Management Framework. The revised process:

  • Integrates information security more closely into the enterprise architecture and system development life cycle;
  • Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
  • Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems;
  • Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function);
  • Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes; and
  • Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions.

Comments on the SP 800-37, Revision 1, should be e-mailed by Dec. 31 to [email protected].

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.