A Framework and Roadmap for FISMA
May 7, 2013A proposed Enterprise Risk Management Program structure would be developed and implemented in a phased, or incremental manner
- Phase One:
- Strategy and communications planning
- Organizational construct framework developed and approved with resources assigned
- Identification of major milestones for program reporting, usually tied to IT audit and/or FISMA reporting cycle
- Security policy review and refresh
- Security Architecture review and gap analysis
- Phase Two:
- Asset inventory
- Continuous Monitoring program development and initiation
- Identification/revalidation of High and Moderate Impact Systems according to Nist 800-53x and FIPS 199 System Categorization
- Security Architecture refresh
- Phase Three:
- Ongoing Continuous Monitoring and reporting
- Communications and outreach planning to disseminate new program and policy objectives
- Training and Awareness of staff and key security/program managers
- Integration of Cyber Security Program into all Enterprise IT planning, acquisition, and operational activities
Risk Management Organizational Structure and Services
| Governance & Oversight |
| Certification & Accreditation (C&A) FISMA Compliance Security Test & Evaluation (ST&E) Security Policy Development and Maintenance Security Training and Awareness Compliance Audits Vulnerability Scanning Security Policy Development and Management |
| Security Architecture & Engineering |
| Network and Perimeter Security Intrusion Prevention and Detection Audit and Monitoring System and Application Hardening Database Security Code Review |
| Security Operations |
| Incident Response & Management Contingency Planning Critical Infrastructure Protection Security Operations Center (SOC) Network Operations Center (NOC) Asset Monitoring and Management Security Help Desk and Field Support Physical Security and Secure Environment Services |