Resources

A risk management reading list

NIST logo

This text is intended to be a caption for the above image.

The Federal Information Security Management Act of 2002 and the newer Federal Risk and Authorization Management Program provide detailed requirements regarding what agencies need to consider when assessing and managing security risks. The National Institute of Standards and Technology takes those requirements into account in developing its guidelines for agencies.


Main story: Cyber insecurity: Managing against the risks


FISMA sets various standards and guidance for agencies to use when assessing risks and establishing security controls, and agencies must comply with them annually. However, the law does not yet tell agencies that they must improve security, only that they must show that they have a process in place that will enable them to do so.

However, FISMA is credited with providing a good foundation for risk management in the federal government. Its requirement for continuous monitoring of security risks and controls is considered a fundamental shift in risk management because it moves reporting from periodic snapshots to a real-time process. NIST has a portfolio of documents that provide detailed guidance on risk management, including:

The big new idea in the latest set of documents is that agencies should look at risk management as an enterprisewide process and not something to be performed at the system level, said Ron Ross, a NIST fellow and leader of the agency’s FISMA Implementation Project.

“It applies to all three tiers in an organization — from where the assessment is done at the highest level, where the risk management strategy is produced [and] is pushed down through Tier 2, where assessments have an impact on mission and business operations, to the system security design at Tier 3,” he said.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

Featured

  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.