Resources

A risk management reading list

NIST logo

This text is intended to be a caption for the above image.

The Federal Information Security Management Act of 2002 and the newer Federal Risk and Authorization Management Program provide detailed requirements regarding what agencies need to consider when assessing and managing security risks. The National Institute of Standards and Technology takes those requirements into account in developing its guidelines for agencies.


Main story: Cyber insecurity: Managing against the risks


FISMA sets various standards and guidance for agencies to use when assessing risks and establishing security controls, and agencies must comply with them annually. However, the law does not yet tell agencies that they must improve security, only that they must show that they have a process in place that will enable them to do so.

However, FISMA is credited with providing a good foundation for risk management in the federal government. Its requirement for continuous monitoring of security risks and controls is considered a fundamental shift in risk management because it moves reporting from periodic snapshots to a real-time process. NIST has a portfolio of documents that provide detailed guidance on risk management, including:

The big new idea in the latest set of documents is that agencies should look at risk management as an enterprisewide process and not something to be performed at the system level, said Ron Ross, a NIST fellow and leader of the agency’s FISMA Implementation Project.

“It applies to all three tiers in an organization — from where the assessment is done at the highest level, where the risk management strategy is produced [and] is pushed down through Tier 2, where assessments have an impact on mission and business operations, to the system security design at Tier 3,” he said.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Wed, Oct 24, 2012

Great references, however, risk management/IA starts at contract development (a minor detail that most folks tend to leave out). If it isn't budgeted, if it does not have management buy in, and if the resources are not allocated, you can forget about ever implementing Risk Management/IA. Hello.......anyone listening?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group