1 hour 27 minutes

Video Description

In this lesson, Subject Matter Expert (SME) Kelly Handerhan discusses why a risk management system is important and what documents are used to establish it. She explains the relationships of the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST), and the Risk Management Framework (RMF). Then Handerhan presents some of the reasons that a risk-based approach to information security is so important. The RMF answers the need to look to the current laws and threat landscape and determine what is needed to manage risk as effectively as possible. Risk management is the same thing as information security and information security is the same thing as risk management. RMF looks at information security in the context of a risk management system. Handerhan discusses the E-Government Act of 2002, which established FISMA, and explains that the E-Government Act was a direct result of the 9-11 terrorist attacks. The Act highlighted the fact that information security is as relevant as anything to our national security, and we must protect our secrets in a manner that is directly related to today's threats. Under the Act, NIST was charged with coming up with standards and guidelines to protect the nation by creating standards that apply to all federal agencies. This resulted in the RMF. NIST's goal is to set standards that are easy to work with and that provide consistency and a platform-independent approach to systems. Handerhan explains that, although NIST is non-regulatory, their guidelines may be mandated through several means. Handerhan presents a thorough discussion of significant NIST documents that pertain to the RMF: - the Federal Information Processing Standards (FIPS) that discuss guidelines for categorizing systems and that provide the minimum necessary security requirements - NIST Special Publications (SPs) THE DISCUSSION OF THE RELATIONSHIP BETWEEN FISMA, NIST, AND RMF and RMF IMPORTANT DOCUMENTS CONTINUES IN LESSON 2.

Up Next

Applying the Risk Management Framework NIST 800-37a

The National Institute of Standards and Technology (NIST) established the Risk Management Framework (RMF) as a set of operational and procedural standards

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor