You are previewing FISMA and the Risk Management Framework.
O'Reilly logo
FISMA and the Risk Management Framework

Book Description

If you are responsible for meeting federal information security requirements such as FISMA, this book is all you need to know to get a system authorized. Now in the first full revision of FISMA since its inception in 2002, a new wave of stronger security measures are now available through the efforts of theĀ DepartmentĀ of Defense, Office of the Directory of National Intelligence, Committee for National Security Systems and the National Institute of Standards and Technology.

Based on the new FISMA requirements for 2011 and beyond, this book catalogs the processes, procedures and specific security recommendations underlying the new Risk Management Framework. Written by an experienced FISMA practitioner, this book presents an effective system of information assurance, real-time risk monitoring and secure configurations for common operating systems.



  • Learn how to build a robust, near real-time risk management system and comply with FISMA
  • Discover the changes to FISMA compliance and beyond
  • Gain your systems the authorization they need

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Trademarks
  7. Acknowledgements
  8. About the Author
  9. Chapter 1. Introduction
    1. Introduction
    2. FISMA Applicability and Implementation
    3. FISMA Provisions
    4. Strengths and Shortcomings of FISMA
    5. Structure and Content
    6. Relevant Source Material
    7. Summary
    8. References
  10. Chapter 2. Federal Information Security Fundamentals
    1. Information Security in the Federal Government
    2. Certification and Accreditation
    3. Organizational Responsibilities
    4. Relevant Source Material
    5. Summary
    6. References
  11. Chapter 3. Thinking About Risk
    1. Understanding Risk
    2. Trust, Assurance, and Security
    3. Risk Associated with Information Systems
    4. Relevant Source Material
    5. Summary
    6. References
  12. Chapter 4. Thinking About Systems
    1. Defining Systems in Different Contexts
    2. Perspectives on Information Systems
    3. Establishing Information System Boundaries
    4. Maintaining System Inventories
    5. Relevant Source Material
    6. Summary
    7. References
  13. Chapter 5. Success Factors
    1. Prerequisites for Organizational Risk Management
    2. Managing the Information Security Program
    3. Compliance and Reporting
    4. Organizational Success Factors
    5. Measuring Security Effectiveness
    6. Relevant Source Material
    7. Summary
    8. References
  14. Chapter 6. Risk Management Framework Planning and Initiation
    1. Planning
    2. Planning the RMF Project
    3. Prerequisites for RMF Initiation
    4. Establishing a Project Plan
    5. Roles and Responsibilities
    6. Getting the Project Underway
    7. Relevant Source Material
    8. Summary
    9. References
  15. Chapter 7. Risk Management Framework Steps 1 & 2
    1. Purpose and Objectives
    2. Standards and Guidance
    3. Step 1: Categorize Information System
    4. Step 2: Select Security Controls
    5. Relevant Source Material
    6. Summary
    7. References
  16. Chapter 8. Risk Management Framework Steps 3 & 4
    1. Working with Security Control Baselines
    2. Roles and Responsibilities
    3. Step 3: Implement Security Controls
    4. Step 4: Assess Security Controls
    5. Relevant Source Material
    6. Summary
    7. References
  17. Chapter 9. Risk Management Framework Steps 5 & 6
    1. Preparing for System Authorization
    2. Step 5: Authorize Information System
    3. Step 6: Monitor Security Controls
    4. Relevant Source Material
    5. Summary
    6. References
  18. Chapter 10. System Security Plan
    1. Purpose and Role of the System Security Plan
    2. Structure and Content of the System Security Plan
    3. Developing the System Security Plan
    4. Managing System Security Using the SSP
    5. Relevant Source Material
    6. Summary
    7. References
  19. Chapter 11. Security Assessment Report
    1. Security Assessment Fundamentals
    2. Performing Security Control Assessments
    3. The Security Assessment Report in Context
    4. Relevant Source Material
    5. Summary
    6. References
  20. Chapter 12. Plan of Action and Milestones
    1. Regulatory Background
    2. Structure and Content of the Plan of Action and Milestones
    3. Weaknesses and Deficiencies
    4. Producing the Plan of Action and Milestones
    5. Maintaining and Monitoring the Plan of Action and Milestones
    6. Relevant Source Material
    7. Summary
    8. References
  21. Chapter 13. Risk Management
    1. Risk Management
    2. Three-Tiered Approach
    3. Components of Risk Management
    4. Information System Risk Assessments
    5. Relevant Source Material
    6. Summary
    7. References
  22. Chapter 14. Continuous Monitoring
    1. The Role of Continuous Monitoring in the Risk Management Framework
    2. Continuous Monitoring Process
    3. Technical Solutions for Continuous Monitoring
    4. Relevant Source Material
    5. Summary
    6. References
  23. Chapter 15. Contingency Planning
    1. Introduction to Contingency Planning
    2. Contingency Planning and Continuity of Operations
    3. Information System Contingency Planning
    4. Developing the Information System Contingency Plan
    5. Operational Requirements for Contingency Planning
    6. Relevant Source Material
    7. Summary
    8. References
  24. Chapter 16. Privacy
    1. Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act
    2. Federal Agency Requirements Under the Privacy Act
    3. Privacy Impact Assessments
    4. Protecting Personally Identifiable Information (PII)
    5. Other Legal and Regulatory Sources of Privacy Requirements
    6. Relevant Source Material
    7. Summary
    8. References
  25. Chapter 17. Federal Initiatives
    1. Network Security
    2. Cloud Computing
    3. Application Security
    4. Identity and Access Management
    5. Other Federal Security Management Requirements
    6. Relevant Source Material
    7. Summary
    8. References
  26. Appendix A. References
    1. References
  27. Appendix B. Acronyms
    1. Acronyms and Abbreviations
  28. Appendix C. Glossary
    1. Glossary
  29. Index