In this lesson, Subject Matter Expert (SME) Kelly Handerhan discusses why a risk management system is important and what documents are used to establish it. She explains the relationships of the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST), and the Risk Management Framework (RMF). Then Handerhan presents some of the reasons that a risk-based approach to information security is so important. The RMF answers the need to look to the current laws and threat landscape and determine what is needed to manage risk as effectively as possible. Risk management is the same thing as information security and information security is the same thing as risk management. RMF looks at information security in the context of a risk management system. Handerhan discusses the E-Government Act of 2002, which established FISMA, and explains that the E-Government Act was a direct result of the 9-11 terrorist attacks. The Act highlighted the fact that information security is as relevant as anything to our national security, and we must protect our secrets in a manner that is directly related to today's threats. Under the Act, NIST was charged with coming up with standards and guidelines to protect the nation by creating standards that apply to all federal agencies. This resulted in the RMF. NIST's goal is to set standards that are easy to work with and that provide consistency and a platform-independent approach to systems. Handerhan explains that, although NIST is non-regulatory, their guidelines may be mandated through several means. Handerhan presents a thorough discussion of significant NIST documents that pertain to the RMF: - the Federal Information Processing Standards (FIPS) that discuss guidelines for categorizing systems and that provide the minimum necessary security requirements - NIST Special Publications (SPs) THE DISCUSSION OF THE RELATIONSHIP BETWEEN FISMA, NIST, AND RMF and RMF IMPORTANT DOCUMENTS CONTINUES IN LESSON 2.