Risk Management Framework

Risk Management Framework

by James Broad
Released July 2013
Publisher(s): Syngress
ISBN: 9780124047235

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

The RMF allows an organization to develop an organization-wide risk framework that reduces the resources required to authorize a systems operation. Use of the RMF will help organizations maintain compliance with not only FISMA and OMB requirements but can also be tailored to meet other compliance requirements such as Payment Card Industry (PCI) or Sarbanes Oxley (SOX). With the publishing of NIST SP 800-37 in 2010 and the move of the Intelligence Community and Department of Defense to modified versions of this process, clear implementation guidance is needed to help individuals correctly implement this process. No other publication covers this topic in the detail provided in this book or provides hands-on exercises that will enforce the topics. Examples in the book follow a fictitious organization through the RMF, allowing the reader to follow the development of proper compliance measures. Templates provided in the book allow readers to quickly implement the RMF in their organization. The need for this book continues to expand as government and non-governmental organizations build their security programs around the RMF. The companion website provides access to all of the documents, templates and examples needed to not only understand the RMF but also implement this process in the reader’s own organization.

  • A comprehensive case study from initiation to decommission and disposal
  • Detailed explanations of the complete RMF process and its linkage to the SDLC
  • Hands on exercises to reinforce topics
  • Complete linkage of the RMF to all applicable laws, regulations and publications as never seen before

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright page
  5. Dedication
  6. Acknowledgments
  7. About the Author
  8. Technical Editor
  9. Companion Website
  10. Chapter 1: Introduction
    1. Book Overview and Key Learning Points
    2. Book Audience
    3. The Risk Management Framework (RMF)
    4. Why This Book Is Different
    5. A Note about National Security Systems
    6. Book Organization
  11. Part 1
    1. Introduction
    2. Chapter 2: Laws, Regulations, and Guidance
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. The Case for Legal and Regulatory Requirements
      4. Legal and Regulatory Organizations
      5. Laws, Policies, and Regulations
      6. National Institute of Standards and Technology (NIST) Publications
    3. Chapter 3: Integrated Organization-Wide Risk Management
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Risk Management
      4. Risk Management and the RMF
      5. Components of Risk Management
      6. Multi-tiered Risk Management
      7. Risk Executive (Function)
    4. Chapter 4: The Joint Task Force Transformation Initiative
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Before the Joint Task Force Transformation Initiative
      4. The Joint Task Force Transformation Initiative
    5. Chapter 5: System Development Life Cycle (SDLC)
      1. Abstract
      2. System Development Life Cycle (SDLC)
      3. Traditional Systems Development Life Cycle (SDLC)
      4. Traditional SDLC Considerations
      5. Agile System Development
    6. Chapter 6: Transitioning from the C&A Process to RMF
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. C&A to RMF
      4. The Certification and Accreditation (C&A) Process
      5. Introducing the RMF (A High-Level View)
      6. Transition
    7. Chapter 7: Key Positions and Roles
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Key Roles to Implement the RMF
  12. Part 2
    1. Introduction
    2. Chapter 8: Lab Organization
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. The Department of Social Media (DSM)
      4. Organizational Structure
      5. Risk Executive (Function)
    3. Chapter 9: RMF Phase 1: Categorize the Information System
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Phase 1, Task 1: Security Categorization
      4. Phase 1, Task 2: Information Systems Description
      5. Common Control Providers
      6. Phase 1, Task 3: Information System Registration
      7. Chapter 9 Lab Exercises: Information System Categorization
    4. Chapter 10: RMF Phase 2: Selecting Security Controls
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Selecting Security Controls
      4. Chapter 10 Lab Exercises: Selecting Security Controls
    5. Chapter 11: RMF Phase 3: Implementing Security Controls
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Phase 3, Task 1: Security Control Implementation
      4. Phase 3, Task 2: Security Control Documentation
      5. Chapter 11 Lab Exercises: Selecting Security Controls
    6. Chapter 12: RMF Phase 4: Assess Security Controls
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Assessing Security Controls
      4. Chapter 12 Lab Exercises: Assessing Security Controls
    7. Chapter 13: RMF Phase 5: Authorizing the Information System
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Phase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)
      4. Phase 5, Task 2: Assembly of the Authorization Package
      5. Phase 5, Task 3: Determining Risk
      6. Phase 5, Task 4: Accepting Risk
      7. Chapter 13 Lab Exercises: Authorizing the Information System
    8. Chapter 14: RMF Phase 6: Monitoring Security Controls
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. Phase 6, Task 1: Monitoring Information System and Environment Changes
      4. Phase 6, Task 2: Ongoing Security Control Assessment
      5. Phase 6, Task 3: Ongoing Remediation Actions
      6. Phase 6, Task 4: Updating the Security Documentation
      7. Phase 6, Task 5: Security Status Reporting
      8. Phase 6, Task 6: Ongoing Risk Determination and Acceptance
      9. Phase 6, Task 7: System Removal and Decommissioning
      10. Chapter 14 Lab Exercises: Monitoring Security Controls
    9. Chapter 15: The Expansion of the RMF
      1. Abstract
      2. Chapter Overview and Key Learning Points
      3. The Transition to the RMF
      4. Future Updates to the RMF Process
      5. Using the RMF with Other Control Sets and Requirements
      6. Conclusion
  13. Appendix A: Answers to Exercises in Chapters 9 through 14
    1. Chapter 9
    2. Chapter 10
    3. Chapter 11
    4. Chapter 12
    5. Chapter 13
    6. Chapter 14
  14. Appendix B: Control Families and Classes
  15. Appendix C: Security Control Assessment Requirements
    1. NIST SP 800-53A Assessment Methods
    2. Security Control Baseline Categorization
    3. CNSSI 1253 Baseline Categorization
    4. New Controls Planned in Revision 4
    5. FedRAMP Controls
    6. SP 800-53 Security Controls to HIPAA Security Rule
    7. PCI DSS Standards
  16. Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
  17. Glossary
  18. Common Acronyms in this Book
  19. References
  20. Index

Product information

  • Title: Risk Management Framework
  • Author(s): James Broad
  • Release date: July 2013
  • Publisher(s): Syngress
  • ISBN: 9780124047235