This publication and the abstract below was published by the Federal CIO Council. ICIT strongly encourages you to visit The Federal CIO Council Publication Library to search for additional information security resources which are freely available.
The Federal CIO Council: Chief Information Security Officer Handbook
This handbook aims to give CISOs important information they will need to implement Federal cybersecurity at their agencies. It is designed to be useful both to an executive with no Federal Government experience and to a seasoned Federal employee familiar with the nuances of the public sector. At its core, the handbook is a collection of resources that illuminate the many facets of the cybersecurity challenge and the related issues and opportunities of Federal management.
Section 1 outlines the CISO’s role within the agency and in the Federal Government as a whole. The section starts with an overview of the statutory language that defines the CISO’s mandate and the responsibilities agencies have in regard to information and information security. Next comes an overview of key organizations and their roles in Federal cybersecurity. The section concludes with a summary of the many kinds of reporting the CISO must conduct to keep the agency accountable to government-wide authorities.
In Section 2, the challenge of cybersecurity is broken down into two parts: managing risk across the enterprise and government-wide policies and initiatives. Each part begins with summaries of key reference documents for that aspect of the challenge.
Section 3 contains information to help CISOs manage their organization’s resources. The section begins with an overview of Federal workforce and hiring authorities and the mechanisms by which a CISO can develop an effective cybersecurity team. An overview of contracting follows with summaries of Federal acquisition regulations and contracting vehicles. Section 3 ends with a high-level overview of the government-wide services designed to help CISOs better perform their duties and improve the cybersecurity posture of their agency and, by extension, the Federal
Government as a whole.
The appendices contain links and reference documents that direct CISOs to more detailed information on the tools, policies, and best practices discussed in this handbook. The “FISMA Responsibility Breakdowns” and the “Governmentwide Policies and Publications” portion were developed specifically for this handbook.
As a whole, this handbook is meant to provide CISOs with a foundational understanding of their role. The information is presented in plain language with the expectation that it will be reinforced with detailed analysis of both government-wide and agency-specific resources. The tools, initiatives, policies, and links to more detailed information make the handbook an effective reference document regardless of the reader’s familiarity with Federal cybersecurity.