Which U.S. standard is used by federal government agencies to manage enterprise risk?

This framework primarily focuses on internal controls and risk management in organizations, particularly in the private sector. While it offers valuable guidelines, it is not specifically designed for federal agencies nor does it address the unique aspects of enterprise risk management as outlined in NIST SP 800-37.

SSAE 18 is an auditing standard that provides guidelines for assessing the controls of service organizations. It is relevant for the auditing process but does not serve as a comprehensive risk management framework for federal agencies, making it less applicable in this context.

ISO 37000 is a standard that offers guidance on governance principles, focusing on the effective and ethical governance of organizations. While governance is a crucial aspect of risk management, this standard does not specifically cater to enterprise risk management for federal agencies like NIST SP 800-37 does.