Index
Note: Page numbers followed by f indicate figures.
A
Applicable laws, IS
DHHS and CDC institutional rules and guidance
91
loudspeaker applicable laws
91
NIST SP and guidelines
90
OMB and GAO requirements
91
Approval to operate (ATO)
134
Assessment method
Assessment plan
independent assessment team
135–136
Authorization
IS
package
special staff members
151
and reauthorization testing
140
Authorization to operate (ATO)
148
Authorizing official (AO)
effective audit trail
149
Authorizing official designated representative
64–65
B
C
Certification and accreditation (C&A) process
accreditation phase
accreditation decision
50,
51
certification phase
security verification
49–50
continuous monitoring phase
initiation phase
characterization, system
49
identification and notification, resources
49
Chief executive officer (CEO)
59–61
Chief information officer (CIO)
61–62,
151
Chief information security officer (CISO)
151
Committee on National Security Systems (CNSS)
14,
170
Committee on National Security Systems Instruction (CNSSI)
19
Common control provider (CCP)
AO and contact information
98
and contact information
98
incident response points
100
information system users
100
mission/business process
99
name, system and unique identifier
97
purpose, function and capability
98–99
security authorization and termination date
100
security POC and designated contacts information
98
version release number
98
Configuration control board (CCB)
43,
51
Continuous monitoring
security status reporting
164
Control families and classes
187
Control implementation resources
129–130
D
Data security standard (DSS)
173–174
Defense Infomation Systems Agency (DISA)
129
Defense Information Assurance Risk Management Framework (DIARMF)
171
Department of Defense (DoD)
15,
171
Department of social media (DSM)
Director of Central Intelligence Directive (DCID)
36,
170
DoD Information Assurance Certification and Accreditation Process (DIACAP)
35,
171
DoD Information Technology Security Certification and Accreditation Process (DITSCAP)
35
E
Executive orders (EO)
presidential directive (PD)
13
Expansion, RMF
transition
F
Federal Information Processing Standards (FIPS)
Federal Information Security Management Act of 2002 (FISMA)
Federal information systems
Federal Risk and Authorization Management Program (FedRAMP)
173
G
Gramm-Leach-Bliley Act
17
H
Health Information Technology for Economic and Critical Health (HITECH) Act of 2009
19
Health Insurance Portability and Accountability Act (HIPAA)
16,
19
Homeland Security Presidential Directive (HSPD) 7
18–19
I
Implementation
RMF
authorizing official
63–64
authorizing official designated representative
64–65
common control provider
64–65
information owner/steward
62–63
information security architect
66–67
information system owner
65–66
risk executive (function)
60–62
security control
architecture and availability
126
enterprise’s architecture
126
hybrid controls, development
127
information and security professionals
128
potential assessment methods and objects
125
responsibility and maintenance
127
Risk Management Framework Process
124f
The System Development Lifecycle
124f
technology components
128
third-party-provided security documentation
129
training requirements
127
Incremental assessment
141
Independent verification and validation (IV&V)
135–136
Information security architect
66–67
Information system (IS)
AO and contact information
loudspeaker authorizing official
85
architectural description
91
categorization phases
53,
54f
cross domain devices and requirements
94
cryptographic key management information
95
environment
custom and legacy systems
86
firmware and hardware devices
92
hardware, software and system interfaces
93
incident response points of contact
96
items, system description
102,
175
mission/business process supported
87
monitoring and environment changes
decommissioning tasks
167,
185
information system baseline
157
security-relevant changes, identification
158–159
system owner approvals
159
network connection rules
94
organizationally required information
97
owner and contact information
loudspeaker information system owner
84
portfolio management office
102
purpose, function and capability
87
SDLC/acquisition life cycle phase
88
security
authorization/risk boundary
88
POC and designated contacts information
85
software and applications
92
system and unique identifier
83–84
version release number
87
Information system security engineer (ISSE)
67–68
Information systems security officer (ISSO)
65–66
Intelligence community (IC)
170–171
Intelligence Community Directive (ICD)
36,
170
Intelligence Reform and Terrorism Act, 2004
36
Interview assessment method
274–276
J
Joint Task Force Transformation Initiative
L
Lab organization
risk executive (function)
73
structure
Laws, policies and regulations
Financial Services Modernization Act, 1999
17
Information Technology Management Reform Act, 1996
16
privacy policies and data collection, Federal Web Sites
17
security categorization and CNSSI
19
Transmittal Memorandum No. 4
16
Legal and regulatory organizations
orders, President of United States of America
13
M
Military and defense systems
Multi-tiered risk management
mission/business processes
30
organizational risk management
28–30
N
National Institute of Standards and Technology (NIST)
E-Government Act, 2002
14
National Security Agency (NSA)
129,
132
National Security Systems (NSS)
description
National Security Telecommunications Advisory Committee (NSTAC)
17
National Security Telecommunications and Information Systems Security Committee (NSTISSC)
14
NIST SP 800-30, risk management and SDLC
24
NIST SP 800-37, RMF implementation
59
O
Office of the Director of National Intelligence (ODNI)
14–15
Operations and maintenance (O&M)
127–128
Organizational leadership and security staff
171
Organizational tier, risk management
organizational leaders
28–29
roles and responsibilities
29
Organization’s portfolio management office
102,
176
P
Payment card industry (PCI)
173–174
Plan of action and milestones (POA&M)
changes to milestone dates
150
key milestones and milestone completion dates
150
office/organization responsible for resolving weakness
149
and OMB
required funding and source of funding
150
scheduled completion date
150
security assessment report
148
system owner and authorizing official
149
weakness
Plans of action and milestones (POA&M)
17–18
President’s Critical Infrastructure Protection Board (PCIPB)
17
Privacy impact assessment (PIA)
41
Program management (PM)
187
Q
Qualified security assessors (QSA)
173–174
R
Risk management
components
risk executive (function)
coordination, senior leaders and executive
31–32
and RMF
evaluation levels
24,
25f
Risk management framework (RMF)
administrative professionals
earlier certification and accreditation program
52–53
management professionals
technical professionals
S
Security assessment report (SAR)
correction and assessor comments
145,
184
interim security assessment reports
142–143
reciprocity determination
142
Security categorization
benefits management information type
80–81
information owner/steward
77–78
Security control
assessment
authorization and reauthorization testing
140
common controls evaluation
141
continuous monitoring program
159–160
common control identification
high-level organizational policies
109
information system owners
111
system development time
110
common control providers
122,
177
continuous monitoring strategy
122,
183
dissection
priority and baseline allocations section
107
supplemental guidance
106
documentation
formal plan and explanation document
131
“Information Security Awareness and Training (AT-1, AT-2, AT-3, AT-4)”
131–132
systems security plan updation
131–132
risk determination and acceptance
165–166
system removal and decommissioning
166–167
monitoring strategy development
organizational continuous monitoring program
117
organizational historical documentation
118–119
system development decisions
118
requirements, assessment
baseline categorization
208
CNSSI 1253 baseline categorization
225
NIST SP 800-53A assessment methods
189–208
SP 800-53 security controls to HIPAA security rule
266–271
selection
access control family controls
112,
113f
compensating control guidance
115
system’s categorization
112
Security control assessor (SCA)
authorization and reauthorization testing
140
system examination methods
138
Security documentation, updation
162–163
Security professionals
172
Security status reporting
164
Security technical implementation guides (STIG)
129
Senior information security officer (SISO)
63–64
Special Publications (SP)
Sysadmin, Audit, Networking and Security (SANS)
129–130
System controls’ traceability matrix (SCTM)
131
System development life cycle (SDLC)
agile system development
44–45
System removal and decommissioning
166–167
System’s registration
176
T
The Health Insurance Portability and Accountability Act (HIPAA)
173
Traditional SDLC
development/acquisition
disposal
implementation/assessment
42–43
initiation phase
group charters and systems
41
operations and maintenance
configuration control board (CCB)
43
repeating phases and cycling/changes
44
Trusted internet connections (TIC)
87,
88
U
United States Government Configuration Baseline (USGCB)
184
W