ABSTRACT

FISMA assigns responsibility for ensuring the con˜dentiality, integrity, and availability of sensitive agency information and the agency’s information technology systems to the senior agency information security o™cer or chief information security o™cer (CISO). e CISO achieves this objective through the institution of policies, development of processes, and implementation of procedures to permit visibility of vulnerabilities in security controls, changes in information systems, and in their security posture; to de˜ne security requirements; and to exert in›uence on the behavior of system owners, managers, and users toward a positive, secure end. It is through these policies, processes, and procedures that a CISO has assurance that systems are in fact secure, and has visibility of vulnerabilities that prevent them from being secure.