Resources

A risk management reading list

NIST logo

This text is intended to be a caption for the above image.

The Federal Information Security Management Act of 2002 and the newer Federal Risk and Authorization Management Program provide detailed requirements regarding what agencies need to consider when assessing and managing security risks. The National Institute of Standards and Technology takes those requirements into account in developing its guidelines for agencies.


Main story: Cyber insecurity: Managing against the risks


FISMA sets various standards and guidance for agencies to use when assessing risks and establishing security controls, and agencies must comply with them annually. However, the law does not yet tell agencies that they must improve security, only that they must show that they have a process in place that will enable them to do so.

However, FISMA is credited with providing a good foundation for risk management in the federal government. Its requirement for continuous monitoring of security risks and controls is considered a fundamental shift in risk management because it moves reporting from periodic snapshots to a real-time process. NIST has a portfolio of documents that provide detailed guidance on risk management, including:

The big new idea in the latest set of documents is that agencies should look at risk management as an enterprisewide process and not something to be performed at the system level, said Ron Ross, a NIST fellow and leader of the agency’s FISMA Implementation Project.

“It applies to all three tiers in an organization — from where the assessment is done at the highest level, where the risk management strategy is produced [and] is pushed down through Tier 2, where assessments have an impact on mission and business operations, to the system security design at Tier 3,” he said.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.