Posted by:Admin | Posted on: April 22nd, 2014 | 0 Comments
Posted by:Admin | Posted on: April 21st, 2014 | 0 CommentsITdojo has added a few new training locations for our Risk Management Framework (RMF) related training courses to accommodate our DoD and Federal Civil Agency clients across the country. Our RMF for DoD IT, RMF for FISMA IT, and our Information Security Continuous Monitoring courses are available as instructor-led offerings in Virginia Beach, VA, Colorado Springs, CO, Huntsville, AL or Washington DC. If you are out of those areas, training can also be brought to your location. Contact us for details. Also, keep in mind that these classes are available frequently as Live Remote Online training sessions if traveling for training is not in your budget.
Posted by:Admin | Posted on: April 16th, 2014 | 0 CommentsA deadline for federal agencies to adhere to the government’s baseline cloud security standards and changes to the standards themselves are coming up very soon. The deadline for agencies to have their existing cloud computing solutions assessed against the Federal Risk and Authorization Management Program, or FedRAMP is June 5, 2014 Read more about this in this article on NextGov. (http://www.nextgov.com/cloud-computing/2014/04/your-agency-ready-fedramp-deadline-june/82486/) To help you with your preparations for FedRAMP, ITdojo has courses running in Northern, VA every other month. To learn more about this Cloud Security and FedRAMP course, visit this page.
Posted by:Admin | Posted on: April 11th, 2014 | 0 CommentsBy Lon J. Berman, CISSP The wait is over! RIP DIACAP!! At long last, DoD has announced the start of transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies … including DoD, the intelligence community and all “civil” departments/agencies … into a “unified information security framework.” Two key documents were signed and released by DoD Chief Information Officer Teresa Takai in March, 2014:
- New DoD Instruction (DoDI) 8500.01, replacing DoD Directive (DoDD) 8500.1. The title has been changed from Information Assurance to Cybersecurity.
- Revised DoD Instruction (DoDI) 8510.01; title changed from DIACAP to Risk Management Framework (RMF) for DoD Information Technology (IT).
- NIST Special Publication (SP) 800-53, Revision 4. This document contains an extensive “catalog” of Security Controls (requirements).
- NIST SP 800-37, Revision 1. This is the definitive Risk Management Framework document, describing the roles and responsibilities, life cycle process, etc.
- CNSS Instruction (CNSSI) 1253. This publication describes the methodology that DoD will use for categorizing systems and selecting security controls.
- NIST SP 800-53A Revision 2 . This document contains recommended assessment objectives and procedures for each of the Security Controls.
Posted by:Admin | Posted on: April 10th, 2014 | 0 CommentsBy Lon J. Berman, CISSP As DoD begins its transition from DIACAP to Risk Management Framework for DoD IT, everyone is naturally focused on all the things that will be changing—everything from terminology to documentation to security controls. Thankfully, not everything is changing! We thought it would be interesting to take a look at some of the things that will not be changing with the advent of RMF in DoD. 1. DoDI 8510.01. DoD Instruction 8510.01 will remain the governing document for the security life cycle process. It is currently being revised to reflect RMF rather than DIACAP as the “official” DoD process. 2. DIACAP Knowledge Service. The DIACAP Knowledge Service will remain the authoritative source for security-related information and guidance. RMF-oriented content is currently being added. 3. Major Change. Systems will still need to be reauthorized (reaccredited) when a "major change" to the system takes place. The individual who signed the Authority to Operate (ATO) will still have the final say on whether or not a proposed change is "major". 4. Contractor owned/Operated Systems. IT-based processes "outsourced" to contractor-owned systems will still require ATO. 5. Independent Assessment. DoD systems will still require independent assessment (in accordance with DoD Component policies and procedures) in order to receive ATO. 6. System Registration. Information systems will be still need to be registered with the IA program, in accordance with DoD Component policies and procedures. 7. Plan of Action and Milestones (POA&M). POA&Ms will continue to be used to report and track security weaknesses of information systems, and to manage corrective actions. 8. Configuration Standards. DISA Security Technical Implementation Guides (STIGs) will continue to be the official DoD standards for configuring operating systems, databases, web servers, network devices, etc.. 9. Training and Certification. DoD Instruction 8570.1 (or its planned successor) will still be in force. DoD employees and contractors having any sort of IA responsibility will still be required to hold appropriate professional certification. 10. Approval to Operate (ATO). All information systems owned by DoD, or operated on behalf of DoD, will still need ATO from a senior DoD official.The process leading to ATO will be changing (RMF rather than DIACAP). Even the title of the person signing it will change (Authorizing Official rather than DAA), but the fundamental concept of risk-based decision (“balancing” or residual risk against mission need) will be unchanged. If you are interested in learning more about our RMF for DoD IT training course, please click here.
Posted by:Admin | Posted on: April 9th, 2014 | 0 CommentsFor your convenience, ITdojo has assembled the following collection of RMF-related government publications. Please note these are UNCLASSIFIED documents with no restrictions on usage or distribution.