FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies. Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA. This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems. * Learn how to build a robust, near real-time risk management system and comply with FISMA* Discover the changes to FISMA compliance and beyond* Gain your systems the authorization they need
Trademarks xvii
Acknowledgements xix
About the Author xxi
Chapter 1 Introduction 1 (22)
Introduction 1 (5)
Purpose and Rationale 3 (2)
How to Use This Book 5 (1)
Key Audience 5 (1)
FISMA Applicability and Implementation 6 (2)
Implementation Responsibilities 6 (1)
FISMA Progress to Date 7 (1)
FISMA Provisions 8 (4)
Standards and Guidelines for Federal 9 (2)
Information Systems
System Certification and Accreditation 11 (1)
Strengths and Shortcomings of FISMA 12 (1)
Structure and Content 13 (5)
Relevant Source Material 18 (1)
References 19 (4)
Chapter 2 Federal Information Security 23 (30)
Fundamentals
Information Security in the Federal 25 (9)
Government
Brief History of Information Security 26 (2)
Civilian, Defense, and Intelligence 28 (5)
Sector Practices
Legislative History of Information 33 (1)
Security Management
Certification and Accreditation 34 (9)
FIPS 102 35 (1)
DITSCAP 36 (1)
NIACAP 37 (2)
NIST Special Publication 800-37 39 (1)
DIACAP 40 (1)
NIST Risk Management Framework 41 (1)
Joint Task Force Transformation 42 (1)
Initiative
Organizational Responsibilities 43 (4)
Office of Management and Budget (OMB) 44 (1)
National Institute of Standards and 44 (1)
Technology (NIST)
Department of Defense (DoD) 45 (1)
Office of the Director of National 45 (1)
Intelligence (ODNI)
Department of Homeland Security (DHS) 45 (1)
National Security Agency (NSA) 46 (1)
General Services Administration (GSA) 46 (1)
Government Accountability Office (GAO) 46 (1)
Congress 46 (1)
Executive Office of the President 47 (1)
Relevant Source Material 47 (1)
References 48 (5)
Chapter 3 Thinking About Risk 53 (26)
Understanding Risk 54 (12)
Key Concepts 54 (3)
Types of Risk 57 (6)
Organizational Risk 63 (3)
Trust, Assurance, and Security 66 (4)
Trust and Trustworthiness 67 (1)
Assurance and Confidence 67 (1)
Security 68 (1)
Trust Models 68 (2)
Risk Associated with Information Systems 70 (5)
Risk Management Framework 71 (1)
Risk Management Life Cycle 72 (1)
Other Risk Management Frameworks Used 73 (2)
in Government Organizations
Relevant Source Material 75 (1)
References 76 (3)
Chapter 4 Thinking About Systems 79 (26)
Defining Systems in Different Contexts 80 (5)
Information Systems in FISMA and the RMF 81 (1)
Information System Attributes 82 (3)
Perspectives on Information Systems 85 (6)
Information Security Management 85 (1)
Capital Planning and Investment Control 86 (1)
Enterprise Architecture 87 (1)
System Development Life Cycle 88 (2)
Information Privacy 90 (1)
Establishing Information System Boundaries 91 (6)
Subsystems 92 (3)
System Interconnections 95 (2)
Maintaining System Inventories 97 (1)
Relevant Source Material 98 (1)
References 99 (6)
Chapter 5 Success Factors 105 (26)
Prerequisites for Organizational Risk 106 (5)
Management
Justifying Information Security 107 (2)
Key Upper Management Roles 109 (2)
Managing the Information Security Program 111 (3)
Organizational Policies, Procedures, 114 (1)
Templates, and Guidance
Compliance and Reporting 114 (2)
Agency Reporting Requirements 115 (1)
Information Security Program Evaluation 115 (1)
Organizational Success Factors 116 (4)
Governance 116 (1)
Planning 117 (1)
Budgeting and Resource Allocation 118 (1)
Communication 118 (1)
Standardization, Automation, and Reuse 119 (1)
Flexibility 119 (1)
Measuring Security Effectiveness 120 (6)
Security Measurement Types 122 (1)
Security Measurement Process 123 (3)
Relevant Source Material 126 (1)
References 126 (5)
Chapter 6 Risk Management Framework 131 (22)
Planning and Initiation
Planning 132 (2)
Planning the RMF Project 134 (3)
Aligning to the SDLC 135 (1)
Planning the RMF Timeline 136 (1)
Prerequisites for RMF Initiation 137 (6)
Inputs to Information System 138 (1)
Categorization
Inputs to Security Control Selection 139 (1)
Organizational Policies, Procedures, 140 (2)
Templates, and Guidance
Identifying Responsible Personnel 142 (1)
Establishing a Project Plan 143 (1)
Roles and Responsibilities 144 (1)
Getting the Project Underway 145 (3)
Relevant Source Material 148 (1)
References 149 (4)
Chapter 7 Risk Management Framework Steps 1 153 (34)
& 2
Purpose and Objectives 154 (1)
Standards and Guidance 154 (3)
Step 1 Categorize Information System 157 (11)
Security Categorization 158 (8)
Information System Description 166 (1)
Information System Registration 167 (1)
Step 2 Select Security Controls 168 (13)
Common Control Identification 174 (2)
Security Control Selection 176 (4)
Monitoring Strategy 180 (1)
Security Plan Approval 181 (1)
Relevant Source Material 181 (1)
References 182 (5)
Chapter 8 Risk Management Framework Steps 3 187 (32)
& 4
Working with Security Control Baselines 188 (6)
Assurance Requirements 189 (1)
Sources of Guidance on Security Controls 190 (4)
Roles and Responsibilities 194 (2)
Management Controls 194 (1)
Operational Controls 195 (1)
Technical Controls 195 (1)
Program Management, Infrastructure, and 196 (1)
Other Common Controls
Step 3 Implement Security Controls 196 (6)
Security Architecture Design 198 (1)
Security Engineering and Control 198 (3)
Implementation
Security Control Documentation 201 (1)
Step 4 Assess Security Controls 202 (12)
Security Control Assessment Components 204 (1)
Assessment Preparation 205 (6)
Security Control Assessment 211 (1)
Security Assessment Report 212 (1)
Remediation Actions 213 (1)
Relevant Source Material 214 (1)
References 215 (4)
Chapter 9 Risk Management Framework Steps 5 219 (26)
& 6
Preparing for System Authorization 220 (2)
Step 5 Authorize Information System 222 (8)
Plan of Action and Milestones 223 (3)
Security Authorization Package 226 (2)
Risk Determination 228 (1)
Risk Acceptance 229 (1)
Step 6 Monitor Security Controls 230 (9)
Information System and Environment 233 (1)
Changes
Ongoing Security Control Assessments 234 (1)
Ongoing Remediation Actions 235 (1)
Key Updates 236 (1)
Security Status Reporting 237 (1)
Ongoing Risk Determination and 238 (1)
Acceptance
Information System Removal and 238 (1)
Decommissioning
Relevant Source Material 239 (1)
References 240 (5)
Chapter 10 System Security Plan 245 (30)
Purpose and Role of the System Security 246 (5)
Plan
System Security Plan Scope 246 (1)
Defining the System Boundary 247 (2)
Key Roles and Responsibilities 249 (1)
The Role of the SSP within the RMF 249 (2)
Structure and Content of the System 251 (15)
Security Plan
System Security Plan Format 252 (12)
SSP Linkage to Other Key Artifacts 264 (2)
Developing the System Security Plan 266 (2)
Rules of Behavior 267 (1)
Managing System Security Using the SSP 268 (1)
Relevant Source Material 269 (1)
References 269 (6)
Chapter 11 Security Assessment Report 275 (30)
Security Assessment Fundamentals 276 (17)
Security Control Assessors and 276 (5)
Supporting Roles
Assessment Timing and Frequency 281 (3)
Scope and Level of Detail 284 (4)
Security Assessment Report Structure 288 (2)
and Contents
Assessment Methods and Objects 290 (3)
Performing Security Control Assessments 293 (3)
Assessment Determinations 293 (3)
Producing the Security Assessment Report 296 (1)
The Security Assessment Report in Context 296 (4)
The Purpose and Role of the Security 298 (2)
Assessment Report
Using the Security Assessment Report 300 (1)
Relevant Source Material 300 (1)
References 301 (4)
Chapter 12 Plan of Action and Milestones 305 (24)
Regulatory Background 307 (1)
Structure and Content of the Plan of 308 (9)
Action and Milestones
Agency-Level POA&M 308 (1)
System-Level POA&M Information 309 (4)
Creating POA&M Items 313 (3)
Planning for Remediation 316 (1)
Oversight of POA&M Creation 317 (1)
Weaknesses and Deficiencies 317 (5)
Risk Assessments 318 (1)
Risk Responses 319 (1)
Sources of Weaknesses 320 (2)
Producing the Plan of Action and 322 (1)
Milestones
Timing and Frequency 322 (1)
Maintaining and Monitoring the Plan of 323 (1)
Action and Milestones
Resolving POA&M Items 324 (1)
Relevant Source Material 324 (2)
References 326 (3)
Chapter 13 Risk Management 329 (38)
Risk Management 329 (6)
Key Risk Management Concepts 332 (3)
Three-Tiered Approach 335 (9)
Organizational Perspective 335 (4)
Mission and Business Perspective 339 (3)
Information System Perspective 342 (1)
Trust and Trustworthiness 343 (1)
Components of Risk Management 344 (9)
Frame 344 (3)
Assess 347 (2)
Respond 349 (3)
Monitor 352 (1)
Information System Risk Assessments 353 (7)
Risk Models 355 (1)
Assessment Methods 356 (1)
Analysis Approaches 357 (1)
Prepare 357 (2)
Conduct 359 (1)
Maintain 359 (1)
Relevant Source Material 360 (1)
References 361 (6)
Chapter 14 Continuous Monitoring 367 (36)
The Role of Continuous Monitoring in the 369 (8)
Risk Management Framework
Monitoring Strategy 373 (1)
Selecting Security Controls for 374 (1)
Continuous Monitoring
Integrating Continuous Monitoring with 375 (1)
Security Management
Roles and Responsibilities 375 (2)
Continuous Monitoring Process 377 (11)
Define ISCM Strategy 380 (1)
Establish ISCM Program 381 (4)
Implement ISCM Program 385 (1)
Analyze Data and Report Findings 385 (1)
Respond to Findings 386 (1)
Review and Update ISCM Program and 387 (1)
Strategy
Technical Solutions for Continuous 388 (7)
Monitoring
Manual vs. Automated Monitoring 388 (1)
Data Gathering 389 (5)
Aggregation and Analysis 394 (1)
Automation and Reference Data Sources 395 (1)
Relevant Source Material 395 (1)
References 396 (7)
Chapter 15 Contingency Planning 403 (42)
Introduction to Contingency Planning 403 (8)
Contingency Planning Drivers 404 (2)
Contingency Planning Controls 406 (5)
Contingency Planning and Continuity of 411 (6)
Operations
Federal Requirements for Continuity of 412 (1)
Operations Planning
Distinguishing Contingency Planning 413 (1)
from Continuity of Operations Planning
Contingency Planning Components and 414 (3)
Processes
Information System Contingency Planning 417 (7)
Develop Contingency Planning Policy 417 (1)
Conduct Business Impact Analysis 418 (1)
Identify Preventive Controls 419 (1)
Create Contingency Strategies 420 (2)
Develop Contingency Plan 422 (1)
Conduct Plan Testing, Training, and 422 (2)
Exercises
Maintain Plan 424 (1)
Developing the Information System 424 (8)
Contingency Plan
ISCP Introduction and Supporting 425 (1)
Information
Concept of Operations 426 (1)
Activation and Notification 427 (1)
Recovery 428 (2)
Reconstitution 430 (1)
Appendices and Supplemental Information 431 (1)
Operational Requirements for Contingency 432 (5)
Planning
System Development and Engineering 432 (1)
System Interconnections 433 (1)
Technical Contingency Planning 433 (4)
Considerations
Relevant Source Material 437 (1)
References 438 (7)
Chapter 16 Privacy 445 (36)
Privacy Requirements for Federal Agencies 446 (9)
Under FISMA and the E-Government Act
Privacy Provisions in the E-Government 447 (4)
Act of 2002
Privacy and Minimum Security Controls 451 (1)
Privacy in FISMA Reporting 452 (3)
FISMA Incident Reporting and Handling 455 (1)
Federal Agency Requirements Under the 455 (6)
Privacy Act
Fair Information Practices 456 (5)
Privacy Impact Assessments 461 (5)
Applicability of Privacy Impact 462 (1)
Assessments
Conducting Privacy Impact Assessments 463 (1)
Documenting and Publishing PIA Results 464 (1)
System of Records Notices 465 (1)
Updates to Privacy Impact Assessments 465 (1)
for Third-Party Sources
Privacy Impact Assessments within the 466 (1)
Risk Management Framework
Protecting Personally Identifiable 466 (4)
Information (PII)
Notification Requirements for Breaches 468 (2)
of Personally Identifiable Information
Other Legal and Regulatory Sources of 470 (5)
Privacy Requirements
Privacy Requirements Potentially 470 (5)
Applicable to Agencies
Relevant Source Material 475 (1)
References 476 (5)
Chapter 17 Federal Initiatives 481 (26)
Network Security 481 (4)
US-CERT 482 (1)
Comprehensive National Cybersecurity 483 (1)
Initiative
Trusted Internet Connections 484 (1)
EINSTEIN 484 (1)
Cloud Computing 485 (2)
FedRAMP 486 (1)
Application Security 487 (3)
Tested Security Technologies 488 (1)
Federal Information Processing Standards 488 (1)
Common Criteria 489 (1)
Secure Configuration Checklists 489 (1)
Identity and Access Management 490 (7)
Identity, Credential, and Access 491 (1)
Management (ICAM)
Personal Identity Verification 491 (2)
Electronic Authentication 493 (3)
Federal PKI 496 (1)
Other Federal Security Management 497 (4)
Requirements
Personally Identifiable Information 498 (1)
Protection
OMB Memoranda 498 (1)
Information Resources Management 499 (1)
Federal Enterprise Architecture 499 (2)
Open Government 501 (1)
Relevant Source Material 501 (1)
References 502 (5)
Appendix A References 507 (14)
Appendix B Acronyms 521 (6)
Appendix C Glossary 527 (20)
Index 547
新书报道