You are previewing FISMA Compliance Handbook.
O'Reilly logo
FISMA Compliance Handbook

Book Description

This comprehensive book instructs IT managers to adhere to federally mandated compliance requirements. FISMA Compliance Handbook Second Edition explains what the requirements are for FISMA compliance and why FISMA compliance is mandated by federal law. The evolution of Certification and Accreditation is discussed.

This book walks the reader through the entire FISMA compliance process and includes guidance on how to manage a FISMA compliance project from start to finish. The book has chapters for all FISMA compliance deliverables and includes information on how to conduct a FISMA compliant security assessment.

Various topics discussed in this book include the NIST Risk Management Framework, how to characterize the sensitivity level of your system, contingency plan, system security plan development, security awareness training, privacy impact assessments, security assessments and more. Readers will learn how to obtain an Authority to Operate for an information system and what actions to take in regards to vulnerabilities and audit findings.

FISMA Compliance Handbook Second Edition, also includes all-new coverage of federal cloud computing compliance from author Laura Taylor, the federal government’s technical lead for FedRAMP, the government program used to assess and authorize cloud products and services.



  • Includes new information on cloud computing compliance from Laura Taylor, the federal government’s technical lead for FedRAMP
  • Includes coverage for both corporate and government IT managers
  • Learn how to prepare for, perform, and document FISMA compliance projects
  • This book is used by various colleges and universities in information security and MBA curriculums.

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
    1. Author Acknowledgments
  6. About the Author
  7. Foreword
  8. Chapter 1. FISMA Compliance Overview
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Terminology
    5. Processes and paperwork
    6. Templates streamline the process
    7. FISMA oversight and governance
    8. Supporting government security regulations
    9. Summary
    10. References
  9. Chapter 2. FISMA Trickles into the Private Sector
    1. Abstract
    2. Topics in this chapter
    3. Introduction and authorities
    4. Inspector General reports
    5. What should NGOs do regarding FISMA?
    6. FISMA compliance tools
    7. Summary
  10. Chapter 3. FISMA Compliance Methodologies
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. The NIST risk management framework (RMF)
    5. Defense information assurance C&A process (DIACAP)
    6. Department of defense (DoD) risk management framework (RMF)
    7. ICD 503 and DCID 6/3
    8. The common denominator of FISMA compliance methodologies
    9. FISMA compliance for private enterprises
    10. Legacy methodologies
    11. Summary
    12. Notes
  11. Chapter 4. Understanding the FISMA Compliance Process
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Recognizing the need for FISMA compliance
    5. Roles and responsibilities
    6. Stepping through the process
    7. FISMA project management
    8. Summary
  12. Chapter 5. Establishing a FISMA Compliance Program
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Compliance handbook development
    5. Create a standardized security assessment process
    6. Provide package delivery instructions
    7. Authority and endorsement
    8. Improve your compliance program each year
    9. Problems of not having a compliance program
    10. Summary
  13. Chapter 6. Getting Started on Your FISMA Project
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Initiate your project
    5. Analyze your research
    6. Develop the documents
    7. Verify your information
    8. Retain your ethics
    9. Summary
  14. Chapter 7. Preparing the Hardware and Software Inventory
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Determining the system boundaries
    5. Collecting the inventory information
    6. Structure of inventory information
    7. Delivery of inventory document
    8. Summary
  15. Chapter 8. Categorizing Data Sensitivity
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Heed this warning before you start
    5. Confidentiality, Integrity, and Availability
    6. Template for FIPS 199 Profile
    7. The explanatory memo
    8. National Security Systems
    9. Summary
  16. Chapter 9. Addressing Security Awareness and Training
    1. Abstract
    2. Topics in this chapter
    3. Introduction and authorities
    4. Purpose of security awareness and training
    5. Elements of the security awareness and training plan
    6. Specialized security training
    7. Security awareness
    8. The awareness and training message
    9. Security awareness and training checklist
    10. Security awareness course evaluation
    11. Summary
    12. Reference
  17. Chapter 10. Addressing Rules of Behavior
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Implementing Rules of Behavior
    5. Rules for internal and external users
    6. What rules to include
    7. Consequences of noncompliance
    8. Rules of Behavior checklist
    9. Summary
  18. Chapter 11. Developing an Incident Response Plan
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Purpose and applicability
    5. Policies, procedures, and guidelines
    6. Reporting framework
    7. Roles and responsibilities
    8. Definitions
    9. Incident handling
    10. Forensic investigations
    11. Incident types
    12. Incident Response Plan checklist
    13. Security Incident Reporting Form
    14. Summary
    15. Additional resources
    16. Incident response organizations
    17. Books on incident response
    18. Articles and papers on incident response
  19. Chapter 12. Conducting a Privacy Impact Assessment
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Privacy laws, regulations, and rights
    5. OMB Memoranda with privacy implications
    6. Laws and regulations
    7. When to conduct a PIA?
    8. Questions for a privacy impact assessment
    9. Personally identifiable information (PII)
    10. Persistent tracking technologies
    11. Decommissioning of PII
    12. System of record notice (SORN)
    13. Posting the privacy policy
    14. PIA checklist
    15. Summary
    16. Books on privacy
    17. References
  20. Chapter 13. Preparing the Business Impact Analysis
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Terminology
    5. Document actual recovery times
    6. Establish relative recovery priorities
    7. Define escalation thresholds
    8. Record license keys
    9. BIA Organization
    10. Summary
    11. Additional resources
  21. Chapter 14. Developing the Contingency Plan
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. List assumptions
    5. Concept of operations
    6. Roles and responsibilities
    7. Levels of disruption
    8. Procedures
    9. Line of succession
    10. Service-Level Agreements
    11. Contact lists
    12. Testing the Contingency Plan
    13. Appendices
    14. Contingency Plan checklist
    15. Additional resources
  22. Chapter 15. Developing a Configuration Management Plan
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Establish definitions
    5. Describe assets controlled by the plan
    6. Describe the configuration management system
    7. Define roles and responsibilities
    8. Describe baselines
    9. Change control process
    10. Configuration management audit
    11. Configuration and change management tools
    12. Configuration Management Plan checklist
    13. Summary
    14. Additional resources
  23. Chapter 16. Preparing the System Security Plan
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Laws, regulations, and policies
    5. The system description
    6. Security controls and requirements
    7. Management controls
    8. Operational controls
    9. Technical controls
    10. ISSO appointment letter
    11. System security plan checklist
    12. Summary
    13. Additional resources
    14. Note
  24. Chapter 17. Performing the Business Risk Assessment
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Determine the mission
    5. Create a mission map
    6. Construct risk statements
    7. Describe the sensitivity model
    8. Quantitative risk assessment
    9. Qualitative versus quantitative risk assessment
    10. Make an informed decision
    11. Summary
    12. Books and articles on risk assessment
    13. References
  25. Chapter 18. Getting Ready for Security Testing
    1. Abstract
    2. Topics in this chapter
    3. Introduction and authorities
    4. Planning
    5. Scoping
    6. Assumptions and constraints
    7. Schedule
    8. Rules of Engagement
    9. Limitation of Liability
    10. End of testing
    11. Summary
    12. Additional resources
  26. Chapter 19. Submitting the Security Package
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Structure of documents
    5. Who puts the package together?
    6. Markings and format
    7. Signature pages
    8. A word about “Not Applicable” information
    9. Submission and revision
    10. Defending the Security Package
    11. Checklist
    12. Summary
    13. Additional resources
  27. Chapter 20. Independent Assessor Audit Guide
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Test against the System’s security control baseline
    5. How does confidentiality, integrity, and availability fit in?
    6. Manual and automated testing
    7. Security testing tools
    8. Infrastructure scanners
    9. Evaluations by Inspector Generals
    10. Evaluations by the Government Accountability Office
    11. Summary
  28. Chapter 21. Developing the Security Assessment Report
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. Analysis of test results
    5. Risk assessment methodology
    6. Present the risks
    7. Checklist
    8. Make decisions
    9. Certification
    10. Authority to operate
    11. Interim authority to operate
    12. Summary
    13. Additional resources
  29. Chapter 22. Addressing FISMA Findings
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. POA&Ms
    5. Development and approval
    6. POA&M elements
    7. A word to the wise
    8. Checklist
    9. Summary
  30. Chapter 23. FedRAMP: FISMA for the Cloud
    1. Abstract
    2. Topics in this chapter
    3. Introduction
    4. What is cloud computing?
    5. Looking at virtual machines another way
    6. Sharding
    7. Content delivery networks
    8. FedRAMP security independent assessors
    9. FedRAMP security assessments
    10. The great value of FedRAMP
    11. FedRAMP organization
    12. Summary
    13. Resources
  31. Appendix A. FISMA
    1. Title III—Information Security
  32. Appendix B. OMB Circular A-130 Appendix III
    1. Security of federal automated information resources
  33. Appendix C. FIPS 199
    1. Foreword
    2. Authority
    3. Table of contents
    4. 1 Purpose
    5. 2 Applicability
    6. 3 Categorization of information and information systems
    7. APPENDIX A Terms and definitions
    8. APPENDIX B References
  34. Index