Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Risk Management Framework References

Author(s): Gary McGraw Maturity Levels and Audience Indicators: / E  SDLC Life Cycles: Requirements  Copyright: Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.


Publications relevant to technology risk management.

The following standards documents and government publications are directly relevant to technology risk management. A number of the five stages described in the RMF can be enhanced with various parts of the processes described in these documents. Of particular relevance are the charts and tables defined by NIST1.

In addition to these standards, a number of other references are useful.


[Anderson 01]

Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: John Wiley and Sons, 2001.

[Cavusoglu 02]

Cavusoglu, H.; Mishra, B.; & Raghunathan, S. The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers. Dallas, TX: University of Texas at Dallas, 2002.

[Hoglund 04]

Hoglund, Greg & McGraw, Gary. Exploiting Software: How to Break Code.. Boston, MA: Addison-Wesley, 2004.

[Howard 01]

Howard, M. & LeBlanc, D. Writing Secure Code. Redmond, WA: Microsoft, 2001.

[Howard 03c]

Howard, M. & Lipner, S. "Inside the Windows Security Push." IEEE Security & Privacy 1, 1 (Jan.-Feb. 2003): 57-61.

[McGraw 03d]

McGraw, G. "From the Ground Up: The DIMACS Software Security Workshop." IEEE Security & Privacy 1, 2 (March-April 2003): 59-66.

[McGraw 04]

McGraw, G. "Software Security." IEEE Security & Privacy 2, 2 (March-April 2004): 80-83.

[Saltzer 75]

Saltzer, Jerome H. & Schroeder, Michael D. "The Protection of Information in Computer Systems." 1278-1308. Proceedings of the IEEE 63. 9. IEEE. September 1975.

[Verdon 04]

Verdon, Denis & McGraw, Gary. ”Risk Analysis in Software Design.” IEEE Security & Privacy 2, 4 (July-Aug. 2004): 79-84.

[Viega 00]

Viega, J.; Bloch, J.; Kohno, T.; & McGraw, G.. "ITS4: A Static Vulnerability Scanner for C and C++ Code." Proceedings of Annual Computer Security Applications Conference. New Orleans, LA, December 11-15, 2000.

[Viega 02]

Viega, John & McGraw, Gary. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 2002.

[Wagner 00]

Wagner, D.; Foster, J.; Brewer, E.; & Aiken, A. "A First Step Towards Automated Detection of Buffer Over-run Vulnerabilities." Proceedings of the Year 2000 Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 3-4, 2000.

[Walsh 03]

Walsh, L. "Trustworthy Yet?" Information Security Magazine, February 2003.

[Wing 03]

Wing, J. "A Call to Action: Look Beyond the Horizon." IEEE Security & Privacy 1, 6 (Nov.-Dec. 2003): 62-67.

  • 1. The NIST charts and tables cover topics such as security controls (800-53), information systems vulnerabilities and mission risk, a security certification and accreditation processes for a large and complex system (800-37), integrating risk management into the SDLC, risk assessment methodology, human threats (source, motivation, and actions), vulnerability threat pairs, risk level and scale and necessary actions, risk mitigation action points, risk mitigation and methodology flow chart, technical security controls, implemented controls and residual risk, sample safeguard implementation plan summary (800-30).