book

Risk Management Framework

Name: Risk Management Framework
Author: James Broad
ISBN: 9780124047235

by James Broad

July 2013

Intermediate to advanced

316 pages

8h 29m

English

Syngress

Read now

Unlock full access

Cover image
Title page
Table of Contents
Copyright page
Dedication
Acknowledgments
About the Author
Technical Editor
Companion Website
Chapter 1: Introduction
Book Overview and Key Learning PointsBook AudienceThe Risk Management Framework (RMF)Why This Book Is DifferentA Note about National Security SystemsBook Organization

Part 1
Introduction
Chapter 2: Laws, Regulations, and Guidance
AbstractChapter Overview and Key Learning PointsThe Case for Legal and Regulatory RequirementsLegal and Regulatory OrganizationsLaws, Policies, and RegulationsNational Institute of Standards and Technology (NIST) Publications
Chapter 3: Integrated Organization-Wide Risk Management
AbstractChapter Overview and Key Learning PointsRisk ManagementRisk Management and the RMFComponents of Risk ManagementMulti-tiered Risk ManagementRisk Executive (Function)
Chapter 4: The Joint Task Force Transformation Initiative
AbstractChapter Overview and Key Learning PointsBefore the Joint Task Force Transformation InitiativeThe Joint Task Force Transformation Initiative
Chapter 5: System Development Life Cycle (SDLC)
AbstractSystem Development Life Cycle (SDLC)Traditional Systems Development Life Cycle (SDLC)Traditional SDLC ConsiderationsAgile System Development
Chapter 6: Transitioning from the C&A Process to RMF
AbstractChapter Overview and Key Learning PointsC&A to RMFThe Certification and Accreditation (C&A) ProcessIntroducing the RMF (A High-Level View)Transition
Chapter 7: Key Positions and Roles
AbstractChapter Overview and Key Learning PointsKey Roles to Implement the RMF
Part 2
Introduction
Chapter 8: Lab Organization
AbstractChapter Overview and Key Learning PointsThe Department of Social Media (DSM)Organizational StructureRisk Executive (Function)
Chapter 9: RMF Phase 1: Categorize the Information System
AbstractChapter Overview and Key Learning PointsPhase 1, Task 1: Security CategorizationPhase 1, Task 2: Information Systems DescriptionCommon Control ProvidersPhase 1, Task 3: Information System RegistrationChapter 9 Lab Exercises: Information System Categorization
Chapter 10: RMF Phase 2: Selecting Security Controls
AbstractChapter Overview and Key Learning PointsSelecting Security ControlsChapter 10 Lab Exercises: Selecting Security Controls
Chapter 11: RMF Phase 3: Implementing Security Controls
AbstractChapter Overview and Key Learning PointsPhase 3, Task 1: Security Control ImplementationPhase 3, Task 2: Security Control DocumentationChapter 11 Lab Exercises: Selecting Security Controls
Chapter 12: RMF Phase 4: Assess Security Controls
AbstractChapter Overview and Key Learning PointsAssessing Security ControlsChapter 12 Lab Exercises: Assessing Security Controls
Chapter 13: RMF Phase 5: Authorizing the Information System
AbstractChapter Overview and Key Learning PointsPhase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)Phase 5, Task 2: Assembly of the Authorization PackagePhase 5, Task 3: Determining RiskPhase 5, Task 4: Accepting RiskChapter 13 Lab Exercises: Authorizing the Information System
Chapter 14: RMF Phase 6: Monitoring Security Controls
AbstractChapter Overview and Key Learning PointsPhase 6, Task 1: Monitoring Information System and Environment ChangesPhase 6, Task 2: Ongoing Security Control AssessmentPhase 6, Task 3: Ongoing Remediation ActionsPhase 6, Task 4: Updating the Security DocumentationPhase 6, Task 5: Security Status ReportingPhase 6, Task 6: Ongoing Risk Determination and AcceptancePhase 6, Task 7: System Removal and DecommissioningChapter 14 Lab Exercises: Monitoring Security Controls
Chapter 15: The Expansion of the RMF
AbstractChapter Overview and Key Learning PointsThe Transition to the RMFFuture Updates to the RMF ProcessUsing the RMF with Other Control Sets and RequirementsConclusion
Appendix A: Answers to Exercises in Chapters 9 through 14
Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14
Appendix B: Control Families and Classes
Appendix C: Security Control Assessment Requirements
NIST SP 800-53A Assessment MethodsSecurity Control Baseline CategorizationCNSSI 1253 Baseline CategorizationNew Controls Planned in Revision 4FedRAMP ControlsSP 800-53 Security Controls to HIPAA Security RulePCI DSS Standards
Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
Glossary
Common Acronyms in this Book
References
Index

Overview

The RMF allows an organization to develop an organization-wide risk framework that reduces the resources required to authorize a systems operation. Use of the RMF will help organizations maintain compliance with not only FISMA and OMB requirements but can also be tailored to meet other compliance requirements such as Payment Card Industry (PCI) or Sarbanes Oxley (SOX). With the publishing of NIST SP 800-37 in 2010 and the move of the Intelligence Community and Department of Defense to modified versions of this process, clear implementation guidance is needed to help individuals correctly implement this process. No other publication covers this topic in the detail provided in this book or provides hands-on exercises that will enforce the topics. Examples in the book follow a fictitious organization through the RMF, allowing the reader to follow the development of proper compliance measures. Templates provided in the book allow readers to quickly implement the RMF in their organization. The need for this book continues to expand as government and non-governmental organizations build their security programs around the RMF. The companion website provides access to all of the documents, templates and examples needed to not only understand the RMF but also implement this process in the reader’s own organization.

A comprehensive case study from initiation to decommission and disposal
Detailed explanations of the complete RMF process and its linkage to the SDLC
Hands on exercises to reinforce topics
Complete linkage of the RMF to all applicable laws, regulations and publications as never seen before

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781597499958

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills