FISMA and the Risk Management Framework book cover

FISMA and the Risk Management Framework

The New Practice of Federal Cyber Security

FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies. Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA. This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems.


Information Security Auditors; Information Security Analysts, Penetration Testers, FISMA compliance staff, ST&E contractors, Information Security Engineers

Paperback, 584 Pages

Published: November 2012

Imprint: Syngress

ISBN: 978-1-59749-641-4


  • "Gantz explains the Federal Information Security Management Act (FISMA), describes the obligations it places on federal agencies and others subject to the legislation's rules about securing information systems, and details the processes and activities needed to implement effective information security management following FISMA and using the Risk Management Framework of the National Institute of Standards and Technology."--Reference and Research Book News, August 2013


  • Trademarks


    About the Author

    Chapter 1 Introduction


             Purpose and Rationale

             How to Use This Book

             Key Audience

        FISMA Applicability and Implementation

             Implementation Responsibilities

             FISMA Progress to Date

        FISMA Provisions

             Standards and Guidelines for Federal Information Systems

             System Certification and Accreditation

        Strengths and Shortcomings of FISMA

        Structure and Content

        Relevant Source Material


    Chapter 2 Federal Information Security Fundamentals

        Information Security in the Federal Government

             Brief History of Information Security

             Civilian, Defense, and Intelligence Sector Practices

             Legislative History of Information Security Management

        Certification and Accreditation

             FIPS 102



             NIST Special Publication 800-37


             NIST Risk Management Framework

             Joint Task Force Transformation Initiative

             Organizational Responsibilities

             Office of Management and Budget (OMB)

             National Institute of Standards and Technology (NIST)

             Department of Defense (DoD)

             Office of the Director of National Intelligence (ODNI)

             Department of Homeland Security (DHS)

             National Security Agency (NSA)

             General Services Administration (GSA)

             Government Accountability Office (GAO)


             Executive Office of the President

        Relevant Source Material


    Chapter 3 Thinking About Risk

        Understanding Risk

             Key Concepts

             Types of Risk

             Organizational Risk

        Trust, Assurance, and Security

             Trust and Trustworthiness

             Assurance and Confidence


             Trust Models

        Risk Associated with Information Systems

             Risk Management Framework

             Risk Management Life Cycle

             Other Risk Management Frameworks Used in

             Government Organizations

        Relevant Source Material


    Chapter 4 Thinking About Systems

        Defining Systems in Different Contexts

             Information Systems in FISMA and the RMF

             Information System Attributes

        Perspectives on Information Systems

    Information Security Management

             Capital Planning and Investment Control

             Enterprise Architecture

             System Development Life Cycle

             Information Privacy

        Establishing Information System Boundaries


             System Interconnections

        Maintaining System Inventories

        Relevant Source Material


    Chapter 5 Success Factors

        Prerequisites for Organizational Risk Management

             Justifying Information Security

             Key Upper Management Roles

        Managing the Information Security Program

             Organizational Policies, Procedures, Templates, and Guidance

        Compliance and Reporting

             Agency Reporting Requirements

             Information Security Program Evaluation

        Organizational Success Factors



             Budgeting and Resource Allocation


             Standardization, Automation, and Reuse


        Measuring Security Effectiveness

             Security Measurement Types

             Security Measurement Process

        Relevant Source Material


    Chapter 6 Risk Management Framework Planning and Initiation


        Planning the RMF Project

             Aligning to the SDLC

             Planning the RMF Timeline

        Prerequisites for RMF Initiation

             Inputs to Information System Categorization

             Inputs to Security Control Selection

             Organizational Policies, Procedures, Templates, and Guidance

             Identifying Responsible Personnel

        Establishing a Project Plan

        Roles and Responsibilities

        Getting the Project Underway

        Relevant Source Material


    Chapter 7 Risk Management Framework Steps 1 & 2

        Purpose and Objectives

        Standards and Guidance

        Step 1: Categorize Information System

             Security Categorization

             Information System Description

             Information System Registration

        Step 2: Select Security Controls

             Common Control Identification

             Security Control Selection

             Monitoring Strategy

             Security Plan Approval

        Relevant Source Material


    Chapter 8 Risk Management Framework Steps 3 & 4

        Working with Security Control Baselines

             Assurance Requirements

             Sources of Guidance on Security Controls

        Roles and Responsibilities

             Management Controls

             Operational Controls

             Technical Controls

             Program Management, Infrastructure, and Other

             Common Controls

        Step 3: Implement Security Controls

             Security Architecture Design

             Security Engineering and Control Implementation

             Security Control Documentation

        Step 4: Assess Security Controls

    Security Control Assessment Components

             Assessment Preparation

             Security Control Assessment

             Security Assessment Report

             Remediation Actions

        Relevant Source Material


    Chapter 9 Risk Management Framework Steps 5 & 6

        Preparing for System Authorization

        Step 5: Authorize Information System

             Plan of Action and Milestones

             Security Authorization Package

             Risk Determination

             Risk Acceptance

         Step 6: Monitor Security Controls

            Information System and Environment Changes

            Ongoing Security Control Assessments

            Ongoing Remediation Actions

            Key Updates

            Security Status Reporting

            Ongoing Risk Determination and Acceptance

            Information System Removal and Decommissioning

        Relevant Source Material


    Chapter 10 System Security Plan

        Purpose and Role of the System Security Plan

             System Security Plan Scope

             Defining the System Boundary

             Key Roles and Responsibilities

             The Role of the SSP within the RMF

        Structure and Content of the System Security Plan

             System Security Plan Format

             SSP Linkage to Other Key Artifacts

        Developing the System Security Plan

             Rules of Behavior

        Managing System Security Using the SSP

        Relevant Source Material


    Chapter 11 Security Assessment Report

        Security Assessment Fundamentals

             Security Control Assessors and Supporting Roles

             Assessment Timing and Frequency

             Scope and Level of Detail

             Security Assessment Report Structure and Contents

             Assessment Methods and Objects

        Performing Security Control Assessments

             Assessment Determinations

             Producing the Security Assessment Report

        The Security Assessment Report in Context

             The Purpose and Role of the Security Assessment Report

             Using the Security Assessment Report

        Relevant Source Material


    Chapter 12 Plan of Action and Milestones

        Regulatory Background

        Structure and Content of the Plan of Action and Milestones

             Agency-Level POA&M

             System-Level POA&M Information

             Creating POA&M Items

             Planning for Remediation

             Oversight of POA&M Creation

        Weaknesses and Deficiencies

             Risk Assessments

             Risk Responses

             Sources of Weaknesses

        Producing the Plan of Action and Milestones

             Timing and Frequency

        Maintaining and Monitoring the Plan of Action and Milestones

             Resolving POA&M Items

        Relevant Source Material


    Chapter 13 Risk Management

        Risk Management

             Key Risk Management Concepts

        Three-Tiered Approach

             Organizational Perspective

             Mission and Business Perspective

             Information System Perspective

             Trust and Trustworthiness

        Components of Risk Management





        Information System Risk Assessments

    Risk Models  

             Assessment Methods

             Analysis Approaches




        Relevant Source Material


    Chapter 14 Continuous Monitoring

        The Role of Continuous Monitoring in the Risk

        Management Framework

             Monitoring Strategy

             Selecting Security Controls for Continuous


             Integrating Continuous Monitoring with Security


             Roles and Responsibilities

        Continuous Monitoring Process

             Define ISCM Strategy

             Establish ISCM Program

             Implement ISCM Program

             Analyze Data and Report Findings

             Respond to Findings

             Review and Update ISCM Program and Strategy

        Technical Solutions for Continuous Monitoring

             Manual vs. Automated Monitoring

             Data Gathering

             Aggregation and Analysis

             Automation and Reference Data Sources

        Relevant Source Material


    Chapter 15 Contingency Planning

        Introduction to Contingency Planning

             Contingency Planning Drivers

             Contingency Planning Controls

        Contingency Planning and Continuity of Operations

             Federal Requirements for Continuity of Operations Planning

             Distinguishing Contingency Planning from Continuity of Operations Planning

             Contingency Planning Components and Processes

        Information System Contingency Planning

             Develop Contingency Planning Policy

             Conduct Business Impact Analysis

             Identify Preventive Controls

             Create Contingency Strategies

             Develop Contingency Plan

             Conduct Plan Testing, Training, and Exercises

             Maintain Plan

        Developing the Information System Contingency Plan

             ISCP Introduction and Supporting Information

             Concept of Operations

             Activation and Notification



             Appendices and Supplemental Information

        Operational Requirements for Contingency Planning

             System Development and Engineering

             System Interconnections

             Technical Contingency Planning Considerations

        Relevant Source Material


    Chapter 16 Privacy

        Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act

             Privacy Provisions in the E-Government Act of 2002

             Privacy and Minimum Security Controls

             Privacy in FISMA Reporting

             FISMA Incident Reporting and Handling

        Federal Agency Requirements Under the Privacy Act

             Fair Information Practices

        Privacy Impact Assessments

             Applicability of Privacy Impact Assessments

             Conducting Privacy Impact Assessments

             Documenting and Publishing PIA Results

             System of Records Notices

             Updates to Privacy Impact Assessments for Third-Party Sources

             Privacy Impact Assessments within the Risk Management Framework

        Protecting Personally Identifiable Information (PII)

             Notification Requirements for Breaches of Personally Identifiable Information

        Other Legal and Regulatory Sources of Privacy


             Privacy Requirements Potentially Applicable to Agencies

        Relevant Source Material


    Chapter 17 Federal Initiatives

        Network Security


             Comprehensive National Cybersecurity Initiative

             Trusted Internet Connections


        Cloud Computing


        Application Security

             Tested Security Technologies

             Federal Information Processing Standards

             Common Criteria

             Secure Configuration Checklists

        Identity and Access Management

             Identity, Credential, and Access Management (ICAM)

             Personal Identity Verification

             Electronic Authentication

             Federal PKI

        Other Federal Security Management Requirements

    Personally Identifiable Information Protection

             OMB Memoranda

             Information Resources Management

             Federal Enterprise Architecture

             Open Government

        Relevant Source Material


    Appendix A References

    Appendix B Acronyms

    Appendix C Glosary



advert image