O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

FISMA and the Risk Management Framework

Book Description

FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies.
Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA.
This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems.
  • Learn how to build a robust, near real-time risk management system and comply with FISMA
  • Discover the changes to FISMA compliance and beyond
  • Gain your systems the authorization they need

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Trademarks
  7. Acknowledgements
  8. About the Author
  9. Chapter 1. Introduction
    1. Introduction
    2. FISMA Applicability and Implementation
    3. FISMA Provisions
    4. Strengths and Shortcomings of FISMA
    5. Structure and Content
    6. Relevant Source Material
    7. Summary
    8. References
  10. Chapter 2. Federal Information Security Fundamentals
    1. Information Security in the Federal Government
    2. Certification and Accreditation
    3. Organizational Responsibilities
    4. Relevant Source Material
    5. Summary
    6. References
  11. Chapter 3. Thinking About Risk
    1. Understanding Risk
    2. Trust, Assurance, and Security
    3. Risk Associated with Information Systems
    4. Relevant Source Material
    5. Summary
    6. References
  12. Chapter 4. Thinking About Systems
    1. Defining Systems in Different Contexts
    2. Perspectives on Information Systems
    3. Establishing Information System Boundaries
    4. Maintaining System Inventories
    5. Relevant Source Material
    6. Summary
    7. References
  13. Chapter 5. Success Factors
    1. Prerequisites for Organizational Risk Management
    2. Managing the Information Security Program
    3. Compliance and Reporting
    4. Organizational Success Factors
    5. Measuring Security Effectiveness
    6. Relevant Source Material
    7. Summary
    8. References
  14. Chapter 6. Risk Management Framework Planning and Initiation
    1. Planning
    2. Planning the RMF Project
    3. Prerequisites for RMF Initiation
    4. Establishing a Project Plan
    5. Roles and Responsibilities
    6. Getting the Project Underway
    7. Relevant Source Material
    8. Summary
    9. References
  15. Chapter 7. Risk Management Framework Steps 1 & 2
    1. Purpose and Objectives
    2. Standards and Guidance
    3. Step 1: Categorize Information System
    4. Step 2: Select Security Controls
    5. Relevant Source Material
    6. Summary
    7. References
  16. Chapter 8. Risk Management Framework Steps 3 & 4
    1. Working with Security Control Baselines
    2. Roles and Responsibilities
    3. Step 3: Implement Security Controls
    4. Step 4: Assess Security Controls
    5. Relevant Source Material
    6. Summary
    7. References
  17. Chapter 9. Risk Management Framework Steps 5 & 6
    1. Preparing for System Authorization
    2. Step 5: Authorize Information System
    3. Step 6: Monitor Security Controls
    4. Relevant Source Material
    5. Summary
    6. References
  18. Chapter 10. System Security Plan
    1. Purpose and Role of the System Security Plan
    2. Structure and Content of the System Security Plan
    3. Developing the System Security Plan
    4. Managing System Security Using the SSP
    5. Relevant Source Material
    6. Summary
    7. References
  19. Chapter 11. Security Assessment Report
    1. Security Assessment Fundamentals
    2. Performing Security Control Assessments
    3. The Security Assessment Report in Context
    4. Relevant Source Material
    5. Summary
    6. References
  20. Chapter 12. Plan of Action and Milestones
    1. Regulatory Background
    2. Structure and Content of the Plan of Action and Milestones
    3. Weaknesses and Deficiencies
    4. Producing the Plan of Action and Milestones
    5. Maintaining and Monitoring the Plan of Action and Milestones
    6. Relevant Source Material
    7. Summary
    8. References
  21. Chapter 13. Risk Management
    1. Risk Management
    2. Three-Tiered Approach
    3. Components of Risk Management
    4. Information System Risk Assessments
    5. Relevant Source Material
    6. Summary
    7. References
  22. Chapter 14. Continuous Monitoring
    1. The Role of Continuous Monitoring in the Risk Management Framework
    2. Continuous Monitoring Process
    3. Technical Solutions for Continuous Monitoring
    4. Relevant Source Material
    5. Summary
    6. References
  23. Chapter 15. Contingency Planning
    1. Introduction to Contingency Planning
    2. Contingency Planning and Continuity of Operations
    3. Information System Contingency Planning
    4. Developing the Information System Contingency Plan
    5. Operational Requirements for Contingency Planning
    6. Relevant Source Material
    7. Summary
    8. References
  24. Chapter 16. Privacy
    1. Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act
    2. Federal Agency Requirements Under the Privacy Act
    3. Privacy Impact Assessments
    4. Protecting Personally Identifiable Information (PII)
    5. Other Legal and Regulatory Sources of Privacy Requirements
    6. Relevant Source Material
    7. Summary
    8. References
  25. Chapter 17. Federal Initiatives
    1. Network Security
    2. Cloud Computing
    3. Application Security
    4. Identity and Access Management
    5. Other Federal Security Management Requirements
    6. Relevant Source Material
    7. Summary
    8. References
  26. Appendix A. References
    1. References
  27. Appendix B. Acronyms
    1. Acronyms and Abbreviations
  28. Appendix C. Glossary
    1. Glossary
  29. Index