FISMA and the Risk Management Framework

The New Practice of Federal Cyber Security


  • Stephen Gantz, CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, Founder and Principal Architect of
  • Daniel Philpott, Daniel Philpott, Federal Information Security Architect, Information Assurance Division of Tantus Technologies

FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies. Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA. This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems.
View full description


Information Security Auditors; Information Security Analysts, Penetration Testers, FISMA compliance staff, ST&E contractors, Information Security Engineers


Book information

  • Published: November 2012
  • Imprint: SYNGRESS
  • ISBN: 978-1-59749-641-4


"Gantz explains the Federal Information Security Management Act (FISMA), describes the obligations it places on federal agencies and others subject to the legislation's rules about securing information systems, and details the processes and activities needed to implement effective information security management following FISMA and using the Risk Management Framework of the National Institute of Standards and Technology."--Reference and Research Book News, August 2013

Table of Contents



About the Author

Chapter 1 Introduction


         Purpose and Rationale

         How to Use This Book

         Key Audience

    FISMA Applicability and Implementation

         Implementation Responsibilities

         FISMA Progress to Date

    FISMA Provisions

         Standards and Guidelines for Federal Information Systems

         System Certification and Accreditation

    Strengths and Shortcomings of FISMA

    Structure and Content

    Relevant Source Material


Chapter 2 Federal Information Security Fundamentals

    Information Security in the Federal Government

         Brief History of Information Security

         Civilian, Defense, and Intelligence Sector Practices

         Legislative History of Information Security Management

    Certification and Accreditation

         FIPS 102



         NIST Special Publication 800-37


         NIST Risk Management Framework

         Joint Task Force Transformation Initiative

         Organizational Responsibilities

         Office of Management and Budget (OMB)

         National Institute of Standards and Technology (NIST)

         Department of Defense (DoD)

         Office of the Director of National Intelligence (ODNI)

         Department of Homeland Security (DHS)

         National Security Agency (NSA)

         General Services Administration (GSA)

         Government Accountability Office (GAO)


         Executive Office of the President

    Relevant Source Material


Chapter 3 Thinking About Risk

    Understanding Risk

         Key Concepts

         Types of Risk

         Organizational Risk

    Trust, Assurance, and Security

         Trust and Trustworthiness

         Assurance and Confidence


         Trust Models

    Risk Associated with Information Systems

         Risk Management Framework

         Risk Management Life Cycle

         Other Risk Management Frameworks Used in

         Government Organizations

    Relevant Source Material


Chapter 4 Thinking About Systems

    Defining Systems in Different Contexts

         Information Systems in FISMA and the RMF

         Information System Attributes

    Perspectives on Information Systems

Information Security Management

         Capital Planning and Investment Control

         Enterprise Architecture

         System Development Life Cycle

         Information Privacy

    Establishing Information System Boundaries


         System Interconnections

    Maintaining System Inventories

    Relevant Source Material


Chapter 5 Success Factors

    Prerequisites for Organizational Risk Management

         Justifying Information Security

         Key Upper Management Roles

    Managing the Information Security Program

         Organizational Policies, Procedures, Templates, and Guidance

    Compliance and Reporting

         Agency Reporting Requirements

         Information Security Program Evaluation

    Organizational Success Factors



         Budgeting and Resource Allocation


         Standardization, Automation, and Reuse


    Measuring Security Effectiveness

         Security Measurement Types

         Security Measurement Process

    Relevant Source Material


Chapter 6 Risk Management Framework Planning and Initiation


    Planning the RMF Project

         Aligning to the SDLC

         Planning the RMF Timeline

    Prerequisites for RMF Initiation

         Inputs to Information System Categorization

         Inputs to Security Control Selection

         Organizational Policies, Procedures, Templates, and Guidance

         Identifying Responsible Personnel

    Establishing a Project Plan

    Roles and Responsibilities

    Getting the Project Underway

    Relevant Source Material


Chapter 7 Risk Management Framework Steps 1 & 2

    Purpose and Objectives

    Standards and Guidance

    Step 1: Categorize Information System

         Security Categorization

         Information System Description

         Information System Registration

    Step 2: Select Security Controls

         Common Control Identification

         Security Control Selection

         Monitoring Strategy

         Security Plan Approval

    Relevant Source Material


Chapter 8 Risk Management Framework Steps 3 & 4

    Working with Security Control Baselines

         Assurance Requirements

         Sources of Guidance on Security Controls

    Roles and Responsibilities

         Management Controls

         Operational Controls

         Technical Controls

         Program Management, Infrastructure, and Other

         Common Controls

    Step 3: Implement Security Controls

         Security Architecture Design

         Security Engineering and Control Implementation

         Security Control Documentation

    Step 4: Assess Security Controls

Security Control Assessment Components

         Assessment Preparation

         Security Control Assessment

         Security Assessment Report

         Remediation Actions

    Relevant Source Material


Chapter 9 Risk Management Framework Steps 5 & 6

    Preparing for System Authorization

    Step 5: Authorize Information System

         Plan of Action and Milestones

         Security Authorization Package

         Risk Determination

         Risk Acceptance

     Step 6: Monitor Security Controls

        Information System and Environment Changes

        Ongoing Security Control Assessments

        Ongoing Remediation Actions

        Key Updates

        Security Status Reporting

        Ongoing Risk Determination and Acceptance

        Information System Removal and Decommissioning

    Relevant Source Material


Chapter 10 System Security Plan

    Purpose and Role of the System Security Plan

         System Security Plan Scope

         Defining the System Boundary

         Key Roles and Responsibilities

         The Role of the SSP within the RMF

    Structure and Content of the System Security Plan

         System Security Plan Format

         SSP Linkage to Other Key Artifacts

    Developing the System Security Plan

         Rules of Behavior

    Managing System Security Using the SSP

    Relevant Source Material


Chapter 11 Security Assessment Report

    Security Assessment Fundamentals

         Security Control Assessors and Supporting Roles

         Assessment Timing and Frequency

         Scope and Level of Detail

         Security Assessment Report Structure and Contents

         Assessment Methods and Objects

    Performing Security Control Assessments

         Assessment Determinations

         Producing the Security Assessment Report

    The Security Assessment Report in Context

         The Purpose and Role of the Security Assessment Report

         Using the Security Assessment Report

    Relevant Source Material


Chapter 12 Plan of Action and Milestones

    Regulatory Background

    Structure and Content of the Plan of Action and Milestones

         Agency-Level POA&M

         System-Level POA&M Information

         Creating POA&M Items

         Planning for Remediation

         Oversight of POA&M Creation

    Weaknesses and Deficiencies

         Risk Assessments

         Risk Responses

         Sources of Weaknesses

    Producing the Plan of Action and Milestones

         Timing and Frequency

    Maintaining and Monitoring the Plan of Action and Milestones

         Resolving POA&M Items

    Relevant Source Material


Chapter 13 Risk Management

    Risk Management

         Key Risk Management Concepts

    Three-Tiered Approach

         Organizational Perspective

         Mission and Business Perspective

         Information System Perspective

         Trust and Trustworthiness

    Components of Risk Management





    Information System Risk Assessments

Risk Models  

         Assessment Methods

         Analysis Approaches




    Relevant Source Material


Chapter 14 Continuous Monitoring

    The Role of Continuous Monitoring in the Risk

    Management Framework

         Monitoring Strategy

         Selecting Security Controls for Continuous


         Integrating Continuous Monitoring with Security


         Roles and Responsibilities

    Continuous Monitoring Process

         Define ISCM Strategy

         Establish ISCM Program

         Implement ISCM Program

         Analyze Data and Report Findings

         Respond to Findings

         Review and Update ISCM Program and Strategy

    Technical Solutions for Continuous Monitoring

         Manual vs. Automated Monitoring

         Data Gathering

         Aggregation and Analysis

         Automation and Reference Data Sources

    Relevant Source Material


Chapter 15 Contingency Planning

    Introduction to Contingency Planning

         Contingency Planning Drivers

         Contingency Planning Controls

    Contingency Planning and Continuity of Operations

         Federal Requirements for Continuity of Operations Planning

         Distinguishing Contingency Planning from Continuity of Operations Planning

         Contingency Planning Components and Processes

    Information System Contingency Planning

         Develop Contingency Planning Policy

         Conduct Business Impact Analysis

         Identify Preventive Controls

         Create Contingency Strategies

         Develop Contingency Plan

         Conduct Plan Testing, Training, and Exercises

         Maintain Plan

    Developing the Information System Contingency Plan

         ISCP Introduction and Supporting Information

         Concept of Operations

         Activation and Notification



         Appendices and Supplemental Information

    Operational Requirements for Contingency Planning

         System Development and Engineering

         System Interconnections

         Technical Contingency Planning Considerations

    Relevant Source Material


Chapter 16 Privacy

    Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act

         Privacy Provisions in the E-Government Act of 2002

         Privacy and Minimum Security Controls

         Privacy in FISMA Reporting

         FISMA Incident Reporting and Handling

    Federal Agency Requirements Under the Privacy Act

         Fair Information Practices

    Privacy Impact Assessments

         Applicability of Privacy Impact Assessments

         Conducting Privacy Impact Assessments

         Documenting and Publishing PIA Results

         System of Records Notices

         Updates to Privacy Impact Assessments for Third-Party Sources

         Privacy Impact Assessments within the Risk Management Framework

    Protecting Personally Identifiable Information (PII)

         Notification Requirements for Breaches of Personally Identifiable Information

    Other Legal and Regulatory Sources of Privacy


         Privacy Requirements Potentially Applicable to Agencies

    Relevant Source Material


Chapter 17 Federal Initiatives

    Network Security


         Comprehensive National Cybersecurity Initiative

         Trusted Internet Connections


    Cloud Computing


    Application Security

         Tested Security Technologies

         Federal Information Processing Standards

         Common Criteria

         Secure Configuration Checklists

    Identity and Access Management

         Identity, Credential, and Access Management (ICAM)

         Personal Identity Verification

         Electronic Authentication

         Federal PKI

    Other Federal Security Management Requirements

Personally Identifiable Information Protection

         OMB Memoranda

         Information Resources Management

         Federal Enterprise Architecture

         Open Government

    Relevant Source Material


Appendix A References

Appendix B Acronyms

Appendix C Glosary