Citation
NIST, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST Special Publication 800-37, rev. 1 (Feb. 2010) (full-text).
Overview
This publication replaces the traditional certification and accreditation process with the six-step risk management framework, including a process of assessment and authorization.[1] According to the publication, the revised process emphasizes building information security capabilities into federal information systems through the application of security controls while implementing an ongoing monitoring process.
It also provides information to senior leaders to facilitate better decisions regarding the acceptance of risk arising from the operation and use of information systems.
References
- ↑ The assessment and authorization process replaces the process known as certification and accreditation described in the previous version of SP 800-37.