Policy on Information Assurance Risk Management for National Security Systems   [open pdf - 281KB]

"CNSSP [Committee on National Security Systems Policy] No. 22 requires the implementation of an integrated organization-wide program for managing IA risk to organizational operations (i.e., mission, functions, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of National Security Systems (NSS). Risk management is a comprehensive process that requires organizations to frame risk, assess risk, respond to risk once determined, and monitor risk on an ongoing basis. This policy will be implemented based upon guidance found in the documents listed in Annex B, which provide a detailed approach to IA risk management. Upon this revision of CNSSP No. 22, CNSS Policy No. 6, 'National Policy on Certification and Accreditation of National Security Systems,' dated October 2005, and National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 1000, 'National Information Assurance Certification and Accreditation Process (NIACAP),' dated April 2000 will be canceled."

Report Number:
Committee on National Security Systems Policy CNSSP No. 22
Public Domain
Retrieved From:
Committee on National Security Systems: http://www.cnss.gov/
Media Type:
Help with citations