FISMA and the Risk Management Framework

FISMA and the Risk Management Framework, 1st Edition

The New Practice of Federal Cyber Security

FISMA and the Risk Management Framework, 1st Edition,Stephen Gantz,Daniel Philpott,ISBN9781597496414






235 X 191

Learn how to meet federal information security compliance requirements and manage security risks for your organization's information systems!

Print Book + eBook

USD 83.34
USD 138.90

Buy both together and save 40%

Print Book


In Stock

Estimated Delivery Time
USD 69.95

eBook Overview

VST (VitalSource Bookshelf) format

DRM-free included formats : EPUB, Mobi (for Kindle), PDF

USD 68.95
Add to Cart

Key Features

  • Learn how to build a robust, near real-time risk management system and comply with FISMA
  • Discover the changes to FISMA compliance and beyond
  • Gain your systems the authorization they need


FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies. Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA. This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems.


Information Security Auditors; Information Security Analysts, Penetration Testers, FISMA compliance staff, ST&E contractors, Information Security Engineers

Stephen Gantz

Stephen Gantz (CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO) is an information security and IT consultant with over 20 years of experience in security and privacy management, enterprise architecture, systems development and integration, and strategic planning. He currently holds an executive position with a health information technology services firm primarily serving federal and state government customers. He is also an Associate Professor of Information Assurance in the Graduate School at University of Maryland University College. He maintains a security-focused website and blog at http://www.securityarchitecture.com. Steve’s security and privacy expertise spans program management, security architecture, policy development and enforcement, risk assessment, and regulatory compliance with major legislation such as FISMA, HIPAA, and the Privacy Act. His industry experience includes health, financial services, higher education, consumer products, and manufacturing, but since 2000 his work has focused on security and other information resources management functions in federal government agencies. His prior work history includes completing projects for government clients including the Departments of Defense, Labor, and Health and Human Services, Office of Management and Budget, Federal Deposit Insurance Corporation, U.S. Postal Service, and U.S. Senate. Steve holds a master’s degree in public policy from the Kennedy School of Government at Harvard University, and also earned his bachelor’s degree from Harvard. He is nearing completion of the Doctor of Management program at UMUC, where his dissertation focuses on trust and distrust in networks and inter-organizational relationships. Steve currently resides in Arlington, Virginia with his wife Reneé and children Henry, Claire, and Gillian.

Affiliations and Expertise

CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, Founder and Principal Architect of SecurityArchitecture.com.

Daniel Philpott

Daniel Philpott is a Federal Information Security Architect with the Information Assurance Division of Tantus Technologies where he works with Federal agencies on FISMA compliance and Risk Management. Dan is a respected information security practitioner specializing in Federal information security needs including FISMA, Cybersecurity, SCAP, FDCC, HSPD-12, risk management, governance, cloud computing, social media and web application security. He is founder of the FISMApedia.org wiki and FISMA Arts training project. You can find his comments and analysis at Guerilla-CISO.com and ArielSilverstone.com, where he is a guest blogger. As a sought after public speaker on Federal information security he is frequently featured in interviews and articles by a variety of security news sources and podcasts. Dan started his career in IT at age 13, beta testing display terminals at ProType Corporation. Since that time he has held a variety of positions in the field. While often working on security issues (cryptography, host hardening, network hardening, resilient architectures and application security) he made information security his career in 1998 during his work at National Institute of Standards and Technology. In the Federal space he has worked with the National Institutes of Health, Department of Commerce Technology Administration, U.S. Agency for International Development and NIST. Having experienced Federal information security before and after FISMA he is a strong proponent of the changes FISMA has brought about. Approaching information security with a strong focus on effective reduction of risk, Dan brings an technical and operational security perspective to the theory and practice of FISMA compliance. His long experience in the IT security field provides his Federal clients with depth of knowledge and a diverse skill set encompassing compliance, governance, practice, technology and risk management.

Affiliations and Expertise

Daniel Philpott, Federal Information Security Architect, Information Assurance Division of Tantus Technologies

FISMA and the Risk Management Framework, 1st Edition



About the Author

Chapter 1 Introduction


         Purpose and Rationale

         How to Use This Book

         Key Audience

    FISMA Applicability and Implementation

         Implementation Responsibilities

         FISMA Progress to Date

    FISMA Provisions

         Standards and Guidelines for Federal Information Systems

         System Certification and Accreditation

    Strengths and Shortcomings of FISMA

    Structure and Content

    Relevant Source Material


Chapter 2 Federal Information Security Fundamentals

    Information Security in the Federal Government

         Brief History of Information Security

         Civilian, Defense, and Intelligence Sector Practices

         Legislative History of Information Security Management

    Certification and Accreditation

         FIPS 102



         NIST Special Publication 800-37


         NIST Risk Management Framework

         Joint Task Force Transformation Initiative

         Organizational Responsibilities

         Office of Management and Budget (OMB)

         National Institute of Standards and Technology (NIST)

         Department of Defense (DoD)

         Office of the Director of National Intelligence (ODNI)

         Department of Homeland Security (DHS)

         National Security Agency (NSA)

         General Services Administration (GSA)

         Government Accountability Office (GAO)


         Executive Office of the President

    Relevant Source Material


Chapter 3 Thinking About Risk

    Understanding Risk

         Key Concepts

         Types of Risk

         Organizational Risk

    Trust, Assurance, and Security

         Trust and Trustworthiness

         Assurance and Confidence


         Trust Models

    Risk Associated with Information Systems

         Risk Management Framework

         Risk Management Life Cycle

         Other Risk Management Frameworks Used in

         Government Organizations

    Relevant Source Material


Chapter 4 Thinking About Systems

    Defining Systems in Different Contexts

         Information Systems in FISMA and the RMF

         Information System Attributes

    Perspectives on Information Systems

Information Security Management

         Capital Planning and Investment Control

         Enterprise Architecture

         System Development Life Cycle

         Information Privacy

    Establishing Information System Boundaries


         System Interconnections

    Maintaining System Inventories

    Relevant Source Material


Chapter 5 Success Factors

    Prerequisites for Organizational Risk Management

         Justifying Information Security

         Key Upper Management Roles

    Managing the Information Security Program

         Organizational Policies, Procedures, Templates, and Guidance

    Compliance and Reporting

         Agency Reporting Requirements

         Information Security Program Evaluation

    Organizational Success Factors



         Budgeting and Resource Allocation


         Standardization, Automation, and Reuse


    Measuring Security Effectiveness

         Security Measurement Types

         Security Measurement Process

    Relevant Source Material


Chapter 6 Risk Management Framework Planning and Initiation


    Planning the RMF Project

         Aligning to the SDLC

         Planning the RMF Timeline

    Prerequisites for RMF Initiation

         Inputs to Information System Categorization

         Inputs to Security Control Selection

         Organizational Policies, Procedures, Templates, and Guidance

         Identifying Responsible Personnel

    Establishing a Project Plan

    Roles and Responsibilities

    Getting the Project Underway

    Relevant Source Material


Chapter 7 Risk Management Framework Steps 1 & 2

    Purpose and Objectives

    Standards and Guidance

    Step 1: Categorize Information System

         Security Categorization

         Information System Description

         Information System Registration

    Step 2: Select Security Controls

         Common Control Identification

         Security Control Selection

         Monitoring Strategy

         Security Plan Approval

    Relevant Source Material


Chapter 8 Risk Management Framework Steps 3 & 4

    Working with Security Control Baselines

         Assurance Requirements

         Sources of Guidance on Security Controls

    Roles and Responsibilities

         Management Controls

         Operational Controls

         Technical Controls

         Program Management, Infrastructure, and Other

         Common Controls

    Step 3: Implement Security Controls

         Security Architecture Design

         Security Engineering and Control Implementation

         Security Control Documentation

    Step 4: Assess Security Controls

Security Control Assessment Components

         Assessment Preparation

         Security Control Assessment

         Security Assessment Report

         Remediation Actions

    Relevant Source Material


Chapter 9 Risk Management Framework Steps 5 & 6

    Preparing for System Authorization

    Step 5: Authorize Information System

         Plan of Action and Milestones

         Security Authorization Package

         Risk Determination

         Risk Acceptance

     Step 6: Monitor Security Controls

        Information System and Environment Changes

        Ongoing Security Control Assessments

        Ongoing Remediation Actions

        Key Updates

        Security Status Reporting

        Ongoing Risk Determination and Acceptance

        Information System Removal and Decommissioning

    Relevant Source Material


Chapter 10 System Security Plan

    Purpose and Role of the System Security Plan

         System Security Plan Scope

         Defining the System Boundary

         Key Roles and Responsibilities

         The Role of the SSP within the RMF

    Structure and Content of the System Security Plan

         System Security Plan Format

         SSP Linkage to Other Key Artifacts

    Developing the System Security Plan

         Rules of Behavior

    Managing System Security Using the SSP

    Relevant Source Material


Chapter 11 Security Assessment Report

    Security Assessment Fundamentals

         Security Control Assessors and Supporting Roles

         Assessment Timing and Frequency

         Scope and Level of Detail

         Security Assessment Report Structure and Contents

         Assessment Methods and Objects

    Performing Security Control Assessments

         Assessment Determinations

         Producing the Security Assessment Report

    The Security Assessment Report in Context

         The Purpose and Role of the Security Assessment Report

         Using the Security Assessment Report

    Relevant Source Material


Chapter 12 Plan of Action and Milestones

    Regulatory Background

    Structure and Content of the Plan of Action and Milestones

         Agency-Level POA&M

         System-Level POA&M Information

         Creating POA&M Items

         Planning for Remediation

         Oversight of POA&M Creation

    Weaknesses and Deficiencies

         Risk Assessments

         Risk Responses

         Sources of Weaknesses

    Producing the Plan of Action and Milestones

         Timing and Frequency

    Maintaining and Monitoring the Plan of Action and Milestones

         Resolving POA&M Items

    Relevant Source Material


Chapter 13 Risk Management

    Risk Management

         Key Risk Management Concepts

    Three-Tiered Approach

         Organizational Perspective

         Mission and Business Perspective

         Information System Perspective

         Trust and Trustworthiness

    Components of Risk Management





    Information System Risk Assessments

Risk Models  

         Assessment Methods

         Analysis Approaches




    Relevant Source Material


Chapter 14 Continuous Monitoring

    The Role of Continuous Monitoring in the Risk

    Management Framework

         Monitoring Strategy

         Selecting Security Controls for Continuous


         Integrating Continuous Monitoring with Security


         Roles and Responsibilities

    Continuous Monitoring Process

         Define ISCM Strategy

         Establish ISCM Program

         Implement ISCM Program

         Analyze Data and Report Findings

         Respond to Findings

         Review and Update ISCM Program and Strategy

    Technical Solutions for Continuous Monitoring

         Manual vs. Automated Monitoring

         Data Gathering

         Aggregation and Analysis

         Automation and Reference Data Sources

    Relevant Source Material


Chapter 15 Contingency Planning

    Introduction to Contingency Planning

         Contingency Planning Drivers

         Contingency Planning Controls

    Contingency Planning and Continuity of Operations

         Federal Requirements for Continuity of Operations Planning

         Distinguishing Contingency Planning from Continuity of Operations Planning

         Contingency Planning Components and Processes

    Information System Contingency Planning

         Develop Contingency Planning Policy

         Conduct Business Impact Analysis

         Identify Preventive Controls

         Create Contingency Strategies

         Develop Contingency Plan

         Conduct Plan Testing, Training, and Exercises

         Maintain Plan

    Developing the Information System Contingency Plan

         ISCP Introduction and Supporting Information

         Concept of Operations

         Activation and Notification



         Appendices and Supplemental Information

    Operational Requirements for Contingency Planning

         System Development and Engineering

         System Interconnections

         Technical Contingency Planning Considerations

    Relevant Source Material


Chapter 16 Privacy

    Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act

         Privacy Provisions in the E-Government Act of 2002

         Privacy and Minimum Security Controls

         Privacy in FISMA Reporting

         FISMA Incident Reporting and Handling

    Federal Agency Requirements Under the Privacy Act

         Fair Information Practices

    Privacy Impact Assessments

         Applicability of Privacy Impact Assessments

         Conducting Privacy Impact Assessments

         Documenting and Publishing PIA Results

         System of Records Notices

         Updates to Privacy Impact Assessments for Third-Party Sources

         Privacy Impact Assessments within the Risk Management Framework

    Protecting Personally Identifiable Information (PII)

         Notification Requirements for Breaches of Personally Identifiable Information

    Other Legal and Regulatory Sources of Privacy


         Privacy Requirements Potentially Applicable to Agencies

    Relevant Source Material


Chapter 17 Federal Initiatives

    Network Security


         Comprehensive National Cybersecurity Initiative

         Trusted Internet Connections


    Cloud Computing


    Application Security

         Tested Security Technologies

         Federal Information Processing Standards

         Common Criteria

         Secure Configuration Checklists

    Identity and Access Management

         Identity, Credential, and Access Management (ICAM)

         Personal Identity Verification

         Electronic Authentication

         Federal PKI

    Other Federal Security Management Requirements

Personally Identifiable Information Protection

         OMB Memoranda

         Information Resources Management

         Federal Enterprise Architecture

         Open Government

    Relevant Source Material


Appendix A References

Appendix B Acronyms

Appendix C Glosary


Quotes and reviews

"For the person who needs to build a solid IT system and get it through the process of security authorization, this work will be a perfect source. The authors structured the contents logically, which makes it easy to find information. The book can be used as a compendium of security knowledge, to which one can return many times to find important details when needed."--IEEE Communications, July 2014
"Gantz explains the Federal Information Security Management Act (FISMA), describes the obligations it places on federal agencies and others subject to the legislation's rules about securing information systems, and details the processes and activities needed to implement effective information security management following FISMA and using the Risk Management Framework of the National Institute of Standards and Technology."--Reference and Research Book News, August 2013

Free Shipping
Shop with Confidence

Free Shipping around the world
▪ Broad range of products
▪ 30 days return policy

Contact Us