Risk Management Framework - 1st Edition - ISBN: 9781597499958, 9780124047235

Risk Management Framework

1st Edition

A Lab-Based Approach to Securing Information Systems

Authors: James Broad
eBook ISBN: 9780124047235
Paperback ISBN: 9781597499958
Imprint: Syngress
Published Date: 22nd July 2013
Page Count: 316
Sales tax will be calculated at check-out Price includes VAT/GST
15% off
15% off
15% off
Price includes VAT/GST
× DRM-Free

Easy - Download and start reading immediately. There’s no activation process to access eBooks; all eBooks are fully searchable, and enabled for copying, pasting, and printing.

Flexible - Read on multiple operating systems and devices. Easily read eBooks on smart phones, computers, or any eBook readers, including Kindle.

Open - Buy once, receive and download all available eBook formats, including PDF, EPUB, and Mobi (for Kindle).

Institutional Access

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.


The RMF allows an organization to develop an organization-wide risk framework that reduces the resources required to authorize a systems operation. Use of the RMF will help organizations maintain compliance with not only FISMA and OMB requirements but can also be tailored to meet other compliance requirements such as Payment Card Industry (PCI) or Sarbanes Oxley (SOX). With the publishing of NIST SP 800-37 in 2010 and the move of the Intelligence Community and Department of Defense to modified versions of this process, clear implementation guidance is needed to help individuals correctly implement this process. No other publication covers this topic in the detail provided in this book or provides hands-on exercises that will enforce the topics. Examples in the book follow a fictitious organization through the RMF, allowing the reader to follow the development of proper compliance measures. Templates provided in the book allow readers to quickly implement the RMF in their organization. The need for this book continues to expand as government and non-governmental organizations build their security programs around the RMF. The companion website provides access to all of the documents, templates and examples needed to not only understand the RMF but also implement this process in the reader’s own organization.

Key Features

  • A comprehensive case study from initiation to decommission and disposal
  • Detailed explanations of the complete RMF process and its linkage to the SDLC
  • Hands on exercises to reinforce topics
  • Complete linkage of the RMF to all applicable laws, regulations and publications as never seen before


Information Security professionals of all levels, systems administrators, information technology leaders, network administrators, information auditors, security managers, and an academic audience among information assurance majors

Table of Contents

About the Author
Technical Editor
Companion Website
Chapter 1: Introduction
Book Overview And Key Learning Points

Book Audience

The Risk Management Framework (RMF)

Why This Book Is Different

A Note About National Security Systems

Book Organization

Part 1
Chapter 2: Laws, Regulations, and Guidance

Chapter Overview And Key Learning Points

The Case For Legal And Regulatory Requirements

Legal And Regulatory Organizations

Laws, Policies, And Regulations

National Institute Of Standards And Technology (NIST) Publications

Chapter 3: Integrated Organization-Wide Risk Management

Chapter Overview And Key Learning Points

Risk Management

Risk Management And The RMF

Components Of Risk Management

Multi-Tiered Risk Management

Risk Executive (Function)

Chapter 4: The Joint Task Force Transformation Initiative

Chapter Overview And Key Learning Points

Before The Joint Task Force Transformation Initiative

The Joint Task Force Transformation Initiative

Chapter 5: System Development Life Cycle (SDLC)

System Development Life Cycle (SDLC)

Traditional Systems Development Life Cycle (SDLC)

Traditional SDLC Considerations

Agile System Development

Chapter 6: Transitioning from the C&A Process to RMF

Chapter Overview And Key Learning Points


The Certification And Accreditation (C&A) Process

Introducing The RMF (A High-Level View)


Chapter 7: Key Positions and Roles

Chapter Overview And Key Learning Points

Key Roles To Implement The RMF

Part 2
Chapter 8: Lab Organization

Chapter Overview And Key Learning Points

The Department Of Social Media (DSM)

Organizational Structure

Risk Executive (Function)

Chapter 9: RMF Phase 1: Categorize the Information System

Chapter Overview And Key Learning Points

Phase 1, Task 1: Security Categorization

Phase 1, Task 2: Information Systems Description

Common Control Providers

Phase 1, Task 3: Information System Registration

Chapter 9 Lab Exercises: Information System Categorization

Chapter 10: RMF Phase 2: Selecting Security Controls

Chapter Overview And Key Learning Points

Selecting Security Controls

Chapter 10 Lab Exercises: Selecting Security Controls

Chapter 11: RMF Phase 3: Implementing Security Controls

Chapter Overview And Key Learning Points

Phase 3, Task 1: Security Control Implementation

Phase 3, Task 2: Security Control Documentation

Chapter 11 Lab Exercises: Selecting Security Controls

Chapter 12: RMF Phase 4: Assess Security Controls

Chapter Overview And Key Learning Points

Assessing Security Controls

Chapter 12 Lab Exercises: Assessing Security Controls

Chapter 13: RMF Phase 5: Authorizing the Information System

Chapter Overview And Key Learning Points

Phase 5, Task 1: Developing The Plan Of Action And Milestones (POA&M)

Phase 5, Task 2: Assembly Of The Authorization Package

Phase 5, Task 3: Determining Risk

Phase 5, Task 4: Accepting Risk

Chapter 13 Lab Exercises: Authorizing The Information System

Chapter 14: RMF Phase 6: Monitoring Security Controls

Chapter Overview And Key Learning Points

Phase 6, Task 1: Monitoring Information System And Environment Changes

Phase 6, Task 2: Ongoing Security Control Assessment

Phase 6, Task 3: Ongoing Remediation Actions

Phase 6, Task 4: Updating The Security Documentation

Phase 6, Task 5: Security Status Reporting

Phase 6, Task 6: Ongoing Risk Determination And Acceptance

Phase 6, Task 7: System Removal And Decommissioning

Chapter 14 Lab Exercises: Monitoring Security Controls

Chapter 15: The Expansion of the RMF

Chapter Overview And Key Learning Points

The Transition To The RMF

Future Updates To The RMF Process

Using The RMF With Other Control Sets And Requirements


Appendix A: Answers to Exercises in Chapters 9 through 14
Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Appendix B: Control Families and Classes
Appendix C: Security Control Assessment Requirements
NIST SP 800-53A Assessment Methods

Security Control Baseline Categorization

CNSSI 1253 Baseline Categorization

New Controls Planned In Revision 4

FedRAMP Controls

SP 800-53 Security Controls To HIPAA Security Rule

PCI DSS Standards

Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
Common Acronyms in this Book


No. of pages:
© Syngress 2013
eBook ISBN:
Paperback ISBN:

About the Author

James Broad

James Broad (CISSP, C|EH, CPTS, Security+, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nation’s most critical sectors including defense, law enforcement, intelligence, finance and healthcare.

Affiliations and Expertise

President and Owner, Cyber-Recon, LLC.


"Writing for technical, administrative, and management professionals within the US government, information security consultant Broad explains the basics of the risk management framework as it pertains to the systems development life cycle of federal information technology systems, and suggests how to use this information during the development, assessment, and continuous monitoring of those systems." --Reference & Research Book News, December 2013

Ratings and Reviews