FISMA and the Risk Management Framework

FISMA and the Risk Management Framework, 1st Edition

The New Practice of Federal Cyber Security

FISMA and the Risk Management Framework, 1st Edition,Stephen Gantz,Daniel Philpott,ISBN9781597496414






235 X 191

Learn how to meet federal information security compliance requirements and manage security risks for your organization's information systems!

Print Book + eBook

USD 83.94
USD 139.90

Buy both together and save 40%

Print Book


In Stock

Estimated Delivery Time
USD 69.95

eBook Overview

VST format:

DRM Free included formats: EPub, Mobi, PDF

USD 69.95
Add to Cart

Key Features

  • Learn how to build a robust, near real-time risk management system and comply with FISMA
  • Discover the changes to FISMA compliance and beyond
  • Gain your systems the authorization they need


FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies. Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA. This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems.


Information Security Auditors; Information Security Analysts, Penetration Testers, FISMA compliance staff, ST&E contractors, Information Security Engineers

Stephen Gantz

Stephen Gantz (CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO) is an information security and IT consultant with over 20 years of experience in security and privacy management, enterprise architecture, systems development and integration, and strategic planning. He currently holds an executive position with a health information technology services firm primarily serving federal and state government customers. He is also an Associate Professor of Information Assurance in the Graduate School at University of Maryland University College. He maintains a security-focused website and blog at http://www.securityarchitecture.com. Steve’s security and privacy expertise spans program management, security architecture, policy development and enforcement, risk assessment, and regulatory compliance with major legislation such as FISMA, HIPAA, and the Privacy Act. His industry experience includes health, financial services, higher education, consumer products, and manufacturing, but since 2000 his work has focused on security and other information resources management functions in federal government agencies. His prior work history includes completing projects for government clients including the Departments of Defense, Labor, and Health and Human Services, Office of Management and Budget, Federal Deposit Insurance Corporation, U.S. Postal Service, and U.S. Senate. Steve holds a master’s degree in public policy from the Kennedy School of Government at Harvard University, and also earned his bachelor’s degree from Harvard. He is nearing completion of the Doctor of Management program at UMUC, where his dissertation focuses on trust and distrust in networks and inter-organizational relationships. Steve currently resides in Arlington, Virginia with his wife Reneé and children Henry, Claire, and Gillian.

Affiliations and Expertise

CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, Founder and Principal Architect of SecurityArchitecture.com.

Daniel Philpott

Daniel Philpott is a Federal Information Security Architect with the Information Assurance Division of Tantus Technologies where he works with Federal agencies on FISMA compliance and Risk Management. Dan is a respected information security practitioner specializing in Federal information security needs including FISMA, Cybersecurity, SCAP, FDCC, HSPD-12, risk management, governance, cloud computing, social media and web application security. He is founder of the FISMApedia.org wiki and FISMA Arts training project. You can find his comments and analysis at Guerilla-CISO.com and ArielSilverstone.com, where he is a guest blogger. As a sought after public speaker on Federal information security he is frequently featured in interviews and articles by a variety of security news sources and podcasts. Dan started his career in IT at age 13, beta testing display terminals at ProType Corporation. Since that time he has held a variety of positions in the field. While often working on security issues (cryptography, host hardening, network hardening, resilient architectures and application security) he made information security his career in 1998 during his work at National Institute of Standards and Technology. In the Federal space he has worked with the National Institutes of Health, Department of Commerce Technology Administration, U.S. Agency for International Development and NIST. Having experienced Federal information security before and after FISMA he is a strong proponent of the changes FISMA has brought about. Approaching information security with a strong focus on effective reduction of risk, Dan brings an technical and operational security perspective to the theory and practice of FISMA compliance. His long experience in the IT security field provides his Federal clients with depth of knowledge and a diverse skill set encompassing compliance, governance, practice, technology and risk management.

Affiliations and Expertise

Daniel Philpott, Federal Information Security Architect, Information Assurance Division of Tantus Technologies

FISMA and the Risk Management Framework, 1st Edition

Trademarks Acknowledgements About the Author Chapter 1 Introduction     Introduction          Purpose and Rationale          How to Use This Book          Key Audience     FISMA Applicability and Implementation          Implementation Responsibilities          FISMA Progress to Date     FISMA Provisions          Standards and Guidelines for Federal Information Systems          System Certification and Accreditation     Strengths and Shortcomings of FISMA     Structure and Content     Relevant Source Material     References Chapter 2 Federal Information Security Fundamentals     Information Security in the Federal Government          Brief History of Information Security          Civilian, Defense, and Intelligence Sector Practices          Legislative History of Information Security Management     Certification and Accreditation          FIPS 102          DITSCAP          NIACAP          NIST Special Publication 800-37          DIACAP          NIST Risk Management Framework          Joint Task Force Transformation Initiative          Organizational Responsibilities          Office of Management and Budget (OMB)          National Institute of Standards and Technology (NIST)          Department of Defense (DoD)          Office of the Director of National Intelligence (ODNI)          Department of Homeland Security (DHS)          National Security Agency (NSA)          General Services Administration (GSA)          Government Accountability Office (GAO)          Congress          Executive Office of the President     Relevant Source Material     References Chapter 3 Thinking About Risk     Understanding Risk          Key Concepts          Types of Risk          Organizational Risk     Trust, Assurance, and Security          Trust and Trustworthiness          Assurance and Confidence          Security          Trust Models     Risk Associated with Information Systems          Risk Management Framework          Risk Management Life Cycle          Other Risk Management Frameworks Used in          Government Organizations     Relevant Source Material     References Chapter 4 Thinking About Systems     Defining Systems in Different Contexts          Information Systems in FISMA and the RMF          Information System Attributes     Perspectives on Information Systems Information Security Management          Capital Planning and Investment Control          Enterprise Architecture          System Development Life Cycle          Information Privacy     Establishing Information System Boundaries          Subsystems          System Interconnections     Maintaining System Inventories     Relevant Source Material     References Chapter 5 Success Factors     Prerequisites for Organizational Risk Management          Justifying Information Security          Key Upper Management Roles     Managing the Information Security Program          Organizational Policies, Procedures, Templates, and Guidance     Compliance and Reporting          Agency Reporting Requirements          Information Security Program Evaluation     Organizational Success Factors          Governance          Planning          Budgeting and Resource Allocation          Communication          Standardization, Automation, and Reuse          Flexibility     Measuring Security Effectiveness          Security Measurement Types          Security Measurement Process     Relevant Source Material     References Chapter 6 Risk Management Framework Planning and Initiation     Planning     Planning the RMF Project          Aligning to the SDLC          Planning the RMF Timeline     Prerequisites for RMF Initiation          Inputs to Information System Categorization          Inputs to Security Control Selection          Organizational Policies, Procedures, Templates, and Guidance          Identifying Responsible Personnel     Establishing a Project Plan     Roles and Responsibilities     Getting the Project Underway     Relevant Source Material     References Chapter 7 Risk Management Framework Steps 1 & 2     Purpose and Objectives     Standards and Guidance     Step 1: Categorize Information System          Security Categorization          Information System Description          Information System Registration     Step 2: Select Security Controls          Common Control Identification          Security Control Selection          Monitoring Strategy          Security Plan Approval     Relevant Source Material     References Chapter 8 Risk Management Framework Steps 3 & 4     Working with Security Control Baselines          Assurance Requirements          Sources of Guidance on Security Controls     Roles and Responsibilities          Management Controls          Operational Controls          Technical Controls          Program Management, Infrastructure, and Other          Common Controls     Step 3: Implement Security Controls          Security Architecture Design          Security Engineering and Control Implementation          Security Control Documentation     Step 4: Assess Security Controls Security Control Assessment Components          Assessment Preparation          Security Control Assessment          Security Assessment Report          Remediation Actions     Relevant Source Material     References Chapter 9 Risk Management Framework Steps 5 & 6     Preparing for System Authorization     Step 5: Authorize Information System          Plan of Action and Milestones          Security Authorization Package          Risk Determination          Risk Acceptance      Step 6: Monitor Security Controls         Information System and Environment Changes         Ongoing Security Control Assessments         Ongoing Remediation Actions         Key Updates         Security Status Reporting         Ongoing Risk Determination and Acceptance         Information System Removal and Decommissioning     Relevant Source Material     References Chapter 10 System Security Plan     Purpose and Role of the System Security Plan          System Security Plan Scope          Defining the System Boundary          Key Roles and Responsibilities          The Role of the SSP within the RMF     Structure and Content of the System Security Plan          System Security Plan Format          SSP Linkage to Other Key Artifacts     Developing the System Security Plan          Rules of Behavior     Managing System Security Using the SSP     Relevant Source Material     References Chapter 11 Security Assessment Report     Security Assessment Fundamentals          Security Control Assessors and Supporting Roles          Assessment Timing and Frequency          Scope and Level of Detail          Security Assessment Report Structure and Contents          Assessment Methods and Objects     Performing Security Control Assessments          Assessment Determinations          Producing the Security Assessment Report     The Security Assessment Report in Context          The Purpose and Role of the Security Assessment Report          Using the Security Assessment Report     Relevant Source Material     References Chapter 12 Plan of Action and Milestones     Regulatory Background     Structure and Content of the Plan of Action and Milestones          Agency-Level POA&M          System-Level POA&M Information          Creating POA&M Items          Planning for Remediation          Oversight of POA&M Creation     Weaknesses and Deficiencies          Risk Assessments          Risk Responses          Sources of Weaknesses     Producing the Plan of Action and Milestones          Timing and Frequency     Maintaining and Monitoring the Plan of Action and Milestones          Resolving POA&M Items     Relevant Source Material     References Chapter 13 Risk Management     Risk Management          Key Risk Management Concepts     Three-Tiered Approach          Organizational Perspective          Mission and Business Perspective          Information System Perspective          Trust and Trustworthiness     Components of Risk Management          Frame          Assess          Respond          Monitor     Information System Risk Assessments Risk Models            Assessment Methods          Analysis Approaches          Prepare          Conduct          Maintain     Relevant Source Material     References Chapter 14 Continuous Monitoring     The Role of Continuous Monitoring in the Risk     Management Framework          Monitoring Strategy          Selecting Security Controls for Continuous          Monitoring          Integrating Continuous Monitoring with Security          Management          Roles and Responsibilities     Continuous Monitoring Process          Define ISCM Strategy          Establish ISCM Program          Implement ISCM Program          Analyze Data and Report Findings          Respond to Findings          Review and Update ISCM Program and Strategy     Technical Solutions for Continuous Monitoring          Manual vs. Automated Monitoring          Data Gathering          Aggregation and Analysis          Automation and Reference Data Sources     Relevant Source Material     References Chapter 15 Contingency Planning     Introduction to Contingency Planning          Contingency Planning Drivers          Contingency Planning Controls     Contingency Planning and Continuity of Operations          Federal Requirements for Continuity of Operations Planning          Distinguishing Contingency Planning from Continuity of Operations Planning          Contingency Planning Components and Processes     Information System Contingency Planning          Develop Contingency Planning Policy          Conduct Business Impact Analysis          Identify Preventive Controls          Create Contingency Strategies          Develop Contingency Plan          Conduct Plan Testing, Training, and Exercises          Maintain Plan     Developing the Information System Contingency Plan          ISCP Introduction and Supporting Information          Concept of Operations          Activation and Notification          Recovery          Reconstitution          Appendices and Supplemental Information     Operational Requirements for Contingency Planning          System Development and Engineering          System Interconnections          Technical Contingency Planning Considerations     Relevant Source Material     References Chapter 16 Privacy     Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act          Privacy Provisions in the E-Government Act of 2002          Privacy and Minimum Security Controls          Privacy in FISMA Reporting          FISMA Incident Reporting and Handling     Federal Agency Requirements Under the Privacy Act          Fair Information Practices     Privacy Impact Assessments          Applicability of Privacy Impact Assessments          Conducting Privacy Impact Assessments          Documenting and Publishing PIA Results          System of Records Notices          Updates to Privacy Impact Assessments for Third-Party Sources          Privacy Impact Assessments within the Risk Management Framework     Protecting Personally Identifiable Information (PII)          Notification Requirements for Breaches of Personally Identifiable Information     Other Legal and Regulatory Sources of Privacy     Requirements          Privacy Requirements Potentially Applicable to Agencies     Relevant Source Material     References Chapter 17 Federal Initiatives     Network Security          US-CERT          Comprehensive National Cybersecurity Initiative          Trusted Internet Connections          EINSTEIN     Cloud Computing          FedRAMP     Application Security          Tested Security Technologies          Federal Information Processing Standards          Common Criteria          Secure Configuration Checklists     Identity and Access Management          Identity, Credential, and Access Management (ICAM)          Personal Identity Verification          Electronic Authentication          Federal PKI     Other Federal Security Management Requirements Personally Identifiable Information Protection          OMB Memoranda          Information Resources Management          Federal Enterprise Architecture          Open Government     Relevant Source Material     References Appendix A References Appendix B Acronyms Appendix C Glosary Index

Quotes and reviews

"For the person who needs to build a solid IT system and get it through the process of security authorization, this work will be a perfect source. The authors structured the contents logically, which makes it easy to find information. The book can be used as a compendium of security knowledge, to which one can return many times to find important details when needed."--IEEE Communications, July 2014
"Gantz explains the Federal Information Security Management Act (FISMA), describes the obligations it places on federal agencies and others subject to the legislation's rules about securing information systems, and details the processes and activities needed to implement effective information security management following FISMA and using the Risk Management Framework of the National Institute of Standards and Technology."--Reference and Research Book News, August 2013


Shop with Confidence

Free Shipping around the world
▪ Broad range of products
▪ 30 days return policy

Contact Us