What is the purpose of NIST SP 800-37?

NIST SP 800-37 defines the process for security certification and authorization of federal information systems, using the Risk Management Framework to ensure systems meet security requirements before operation and continue to be monitored over time. It describes a structured lifecycle—categorize the system, select and tailor security controls, implement them, assess their effectiveness, obtain an authorization to operate, and continuously monitor the security posture. This framework provides the formal pathway for an authorizing official to decide whether residual risk is acceptable and the system can operate within the federal environment. While related activities like developing security plans, contingency planning, or mapping information types to categories are part of broader risk management, the core purpose of SP 800-37 is to guide the certification and accreditation process.