The approach of this book is to take FISMA, NIST guidance, and DOD policy guidance and provide a detailed hands-on guide to performing assessment events in the federal space since, as of March 2014, all agencies are following the same guidelines under the NIST-based Risk Management Framework as found in Special Publication (SP) 800-37, rev. 1. This book will provide assessment guidance for federal civilian agencies, DOD and IC-type authorization efforts following the CNSS 4015, DIACAP/RMF-DOD validator, and NIST-based SCA requirements and documentation along with my practical experience of performing and overseeing these efforts for 12 different federal agencies on 31 different types of systems over the past 4.5 years.
We will use the NIST SP 800-53A, NIST SP 800-115, DOD’s RMF Knowledge Service, and the NIST control families assessment guides for our exploration of the needs, requirements, and actual test and evaluation efforts for all of the security controls. Each of the controls has a unique way it can and should be evaluated through test, examination, and key personnel interviews and each of these will be explained and discussed. We will supplement this process with detailed technical, operational, and administrative knowledge for each control, as needed, with data from the various best practices Special Publications from NIST, technical support data available from various security vendors, best business practices gathered from industry, and in-depth knowledge of controls and their assessment gleaned from hands-on utilization and evaluation efforts.