ISFMT understands that risk management is an inherent requirement for all initiatives and programs. This is particularly true because of the rapid pace of change brought on by concurrent transformation activities across the entire defense enterprise. ISFMT utilizes Federal and International Risk Management Standards, which have a long history of successful usage in the disaster recovery and business continuity arenas. We apply these techniques, tactics, policies, and procedures to federal information systems which include defense, human resource, legal, and counter terrorism.

ISFMT supports this critical task by:

• Assisting in the performance of the risk management process,
• Providing input to the process for identifying risks, and
• Performing actions to reduce the exposure from this risk, focused on either or both of probability and consequence of the risk.

Risk Management Approach

Risk Management is an integral process for standard business practices and effective project management of control of performance, schedule and cost. Effective Risk Management requires involvement of an entire program and subject matter experts knowledgeable in critical risk areas.

Risk assessment is the first process in the risk management methodology. ISFMT uses risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability , and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat's exercise of vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data).

In conjunction with Federal Risk Management Standards, NIST Special Publication 800-30, ISFMT utilizes the following risk assessment methodology encompassing nine primary steps.

Step 1: System Characterization

Step 2: Threat Identification

Step 3: Vulnerability Identification

Step 4: Control Analysis

Step 5: Likelihood Determination

Step 6: Impact Analysis

Step 7: Risk Determination

Step 8: Recommendations

Step 9: Results Documentation

The new NIST Risk Management Framework, as defined in the NIST Special Publication 800-37 rev. 1, now includes the following areas:

• Categorize Information Systems (formerly part of the Preparation Phase)
• Establish the Security Control Baseline (formerly part of the Preparation Phase)
• Apply Security Controls (formerly part of the Preparation Phase)
• Assess Security Controls (also known as the Certification Phase)
• Authorize Information System (formerly the Execution Phase)
• Monitor Security Controls (also known as Continuous Monitoring)

This new approach addresses the need for adaptable security to current threat environments, continuous monitoring for security actions and activities, and governance and compliance to federal and international standards.

Each of these security actions brings along requirements for auditing, assessment & testing, and report generations. All of the families of security controls within the federal information system arena are addressed within this framework. The current families of controls are: