Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

NIST 800-37 vs. NIST 800-53: What’s the difference?

Developed by the National Institute of Standards and Technology (NIST), NIST 800-53 and NIST 800-37 are both standards developed to secure cyber risk management. Although these publications share a common theme and many similarities, there are a few core differences in the information they outline:

NIST 800-53 is focused on security controls, whereas NIST 800-37 provides guidance on implementing a risk management framework.

In this article, Hicomply explains the differences between NIST 800-53 vs. NIST 800-37 and how these publications are used to manage information security in federal agencies and similar organisations working within the US government.

What is NIST 800-53?

NIST 800-53 was developed to provide security and privacy guidance for federal agencies and similar organisations working within the US government. This publication includes a catalogue of security and privacy controls and implementation guidance. These controls are designed to assess the effectiveness of security and privacy protocols and policies and to provide recommendations on how best to respond to security and privacy concerns. Although NIST 800-53 is only mandatory for federal agencies, it’s also useful for other organisations to take on the guidance to improve their security framework.

What is NIST 800-37?

Developed by the Joint Task Force Transformation Initiative Working Group, NIST 800-37 is a publication that explains how to build a risk management program. Also known as the Risk Management Framework (RMF), it provides a framework that organisations can use to design and implement a program specifically for their business. NIST 800-37 was specifically designed to modernise the privacy and security practices used by federal agencies and other similar organisations. When your organisation utilises the RMF, you can create extremely effective information security and privacy practices and policies.

What is the difference between NIST 800-37 vs NIST 800-53?

The most notable differences between NIST 800-37 vs. NIST 800-53 are as follows: Scope: NIST 800-53 focuses specifically on security controls, whereas NIST 800-37 focuses on the broader risk management process. Purpose: NIST 800-53 provides detailed guidance on specific security and privacy controls, whereas NIST 800-37 guides the entire risk management process from start to finish. Users: NIST 800-53 is primarily used by security and IT professionals responsible for implementing security controls, whereas NIST 800-37 is used by risk managers, security professionals, and system developers responsible for implementing the RMF. Essentially, the core difference between NIST 800-37 vs. NIST 800-53 is that NIST 800-37 offers guidance on constructing a security framework, whereas NIST 800-53 is an actual regulatory standard. Despite these differences, these publications complement one another in the overall security management landscape.

Compliance as you work with Hicomply

We hope this article on the difference between NIST 800-37 vs. NIST 800-53 has been helpful. If you want to know more about either NIST publication, visit the NIST info hub. If you’re interested in learning more about how Hicomply can help your organisation, contact us today for a free demo.