locked network (sdecoret/Shutterstock.com)

CISO Handbook: The how-to guide for agency cyber execs

To help agencies get the cybersecurity talent they need, the Chief Information Security Officers Council has released the CISO Handbook, a new resource for key policies, initiatives, templates and processes to help prepare future cybersecurity executives for their roles and responsibilities for securing federal data and systems. The handbook was released on June 26.

“Breaking the complex conversation of the CISO role and risk management into consumable pieces can only help the community succeed in bringing new talent onboard and meeting our mission needs,” Emery Csulak, CISO at the Centers for Medicare and Medicare Services, was quoted as saying in a CIO Council blog post.

The handbook features three main sections and appendices with links and reference documents that provide a systematic overview of the risk management process. To help agencies comply with the Trump administration's cybersecurity executive order, the handbook "maps example agency policies to specific objectives in the Cybersecurity Framework Core as well as to key NIST publications," the CIO Council wrote in the blog post.

The first section outlines the CISO’s role at individual agencies and with the federal government as a whole.  It also provides an overview of key federal cybersecurity organizations and a summary of the kinds of reporting that CISOs must submit to oversight authorities.

The second section includes high-level summaries of key risk management publications and focuses specifically on the National Institute of Standards and Technology’s Cybersecurity Framework.  The section also lists key government policies and memos that include information security requirements for agencies.

The third section gives agency CISOs management resources to help them make personnel decisions and address workforce challenges. The section also lists some of the security services available from the General Services Administration and the Department of Homeland Security.

Lastly, the five appendices provide agencies with examples of internal policies for secure  asset management, risk management, asset control, system maintenance and continuous monitoring.  There are also links to governmentwide policies and publications that impact the CISO’s role, a breakdown of agency responsibilities under the Federal Information Security Management Act, links to  governmentwide cybersecurity resources and acquisition vehicles as well as a glossary.

Read the full CISO Handbook here.  

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected