The Risk Management Framework
In 2002, Congress passed the Federal Information Security Management Act (FISMA). As part of the implementation effort, the National Institute of Standards and Technology released Special Publication 800-37, which replaces the traditional certification and accreditation process with a six-step risk-management framework.
The first step is to categorize the information system. Next, the security controls are selected and implemented. The implementation of the controls is then assessed, and the information system is authorized. The final, open-ended step entails monitoring the security controls. The framework covers basic concepts such as incorporating risk-management principles and best practices into organization-wide strategic planning and business processes; integrating information-security requirements into system development lifecycle processes; establishing practical and meaningful boundaries for organizational information systems; and allocating security requirements to organizational information systems as system-specific, hybrid, or common controls. It also emphasizes the need to consider information security from the earliest concept stage.