Resources

A risk management reading list

NIST logo

This text is intended to be a caption for the above image.

The Federal Information Security Management Act of 2002 and the newer Federal Risk and Authorization Management Program provide detailed requirements regarding what agencies need to consider when assessing and managing security risks. The National Institute of Standards and Technology takes those requirements into account in developing its guidelines for agencies.


Main story: Cyber insecurity: Managing against the risks


FISMA sets various standards and guidance for agencies to use when assessing risks and establishing security controls, and agencies must comply with them annually. However, the law does not yet tell agencies that they must improve security, only that they must show that they have a process in place that will enable them to do so.

However, FISMA is credited with providing a good foundation for risk management in the federal government. Its requirement for continuous monitoring of security risks and controls is considered a fundamental shift in risk management because it moves reporting from periodic snapshots to a real-time process. NIST has a portfolio of documents that provide detailed guidance on risk management, including:

The big new idea in the latest set of documents is that agencies should look at risk management as an enterprisewide process and not something to be performed at the system level, said Ron Ross, a NIST fellow and leader of the agency’s FISMA Implementation Project.

“It applies to all three tiers in an organization — from where the assessment is done at the highest level, where the risk management strategy is produced [and] is pushed down through Tier 2, where assessments have an impact on mission and business operations, to the system security design at Tier 3,” he said.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.