This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Industry:Draft NIST SP 800-37 Revision 1

Revision as of 14:14, 4 December 2009 by Dan Philpott (talk | contribs) (Added mailing list)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Global Industry Committee

Activity Name NIST SP 800-37 Revision 1 Final Public Draft
Short Description Provide response to "NIST SP 800-37 Revision 1 Final Public Draft: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
Related Projects NIST SP 800-53 Revision 3 Review
Email Contacts & Roles Primary
Dan Philpott
Rex Booth
Mailing list
Please use: OWASP GIC Review NIST SP 800-37r1
  • Review Final Public Draft of NIST SP 800-37 Revision 1 - in particular issues affecting web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
  • December 1st, 2009 - Announce project, open enrollment
  • December 3rd, 2009 - Close enrollment
  • December 23rd, 2009 - Complete final draft response
  • December 24th, 2009 - Submit to NIST
  • December 31st, 2009 - Comment period ends
  • February, 2010 - Anticipated final publication
  • In Progress

Review Plan

Review of the document shall be conducted primarily via the OWASP wiki. NIST SP 800-37 Revision 1 FPD has been converted to wiki format, broken into separate articles by Chapter/Appendix and had the text linked to the glossary. Participants are requested to review the document text and comment in the appropriate section of the discussion page. Please sign your contributions and comment on the contributions of each other as needed. The primary access point for the document is NIST SP 800-37 Revision 1 FPD Table of Contents/Category Entry. This contains a linked Table of Contents and all pages categorized as Category:GIC-NISTSP80037r1FPD.

Stage 1

Activities: All participants perform a high-level, document-wide review to develop familiarity with the documents. Reviewers should focus on gaining an understanding of the document layout and basic understanding of the Risk Management Framework. Focus is on gaining an understanding of the document.

Results: Keep notes general and impressionistic. Note sections that may merit further investigation and any initial impressions you have on strengths and weaknesses. Please do not comment on other contributors work, consider this a brainstorming period.

Stage 2

Activities: Participants will be asked to perform a focused review on sections identified in Stage 1. These "targeted sections" may be divided among project participants depending on project population and the number of target sections. Impressions on strengths and weakness of the process will be expanded on by their contributors. Participants are encouraged to comment on each others comments.

Results: Each participant should develop a detailed set of comments for their assigned sections.

Stage 3

Activities: Participants will revise comments as needed and project management will consolidate and format comments for submission to NIST.

Results: A final list of comments for submission to NIST.

Submission Response

Latest first

Final Version


Identified Sections

The following parts have been identified for review:


Return to Global Industry Committee