In which document are the guidelines for implementing cybersecurity risk management found?

The guidelines for implementing cybersecurity risk management are detailed in NIST Special Publication 800-37, which specifically addresses the Risk Management Framework (RMF) for information systems. This publication serves as a comprehensive guide that outlines the process for managing organizational risk associated with the operation and use of information systems. It includes steps for risk assessment, selection, implementation, assessment, authorization, and continuous monitoring, providing a structured approach for organizations to align their cybersecurity practices with federal requirements.

The focus of NIST SP 800-37 on both risk management and the RMF makes it the primary document for organizations looking to implement proper cybersecurity risk management practices. This is critical for ensuring that organizations can effectively identify, assess, and mitigate cybersecurity risks in a systematic way.