The Risk Management Framework

The Risk Management Framework

First published Spring 2012, Crosslink® magazine


In 2002, Congress passed the Federal Information Security Management Act (FISMA). As part of the implementation effort, the National Institute of Standards and Technology released Special Publication 800-37, which replaces the traditional certification and accreditation process with a six-step risk-management framework.

The first step is to categorize the information system. Next, the security controls are selected and implemented. The implementation of the controls is then assessed, and the information system is authorized. The final, open-ended step entails monitoring the security controls. The framework covers basic concepts such as incorporating risk-management principles and best practices into organization-wide strategic planning and business processes; integrating information-security requirements into system development lifecycle processes; establishing practical and meaningful boundaries for organizational information systems; and allocating security requirements to organizational information systems as system-specific, hybrid, or common controls. It also emphasizes the need to consider information security from the earliest concept stage.

Back to the Spring 2012 Table of Contents

Go to the main article: Cyber Protection and Space System Acquisition

Go to sidebar: Laser-Scripted Modification of Nonomaterials for Supply-Chain Integrity

Go to sidebar: Secure Coding