Blog Archives

Cloud Security and FedRAMP. Are you Ready for it?

Posted by:Admin | Posted on: April 16th, 2014 | 0 Comments

A deadline for federal agencies to adhere to the government’s baseline cloud security standards and changes to the standards themselves are coming up very soon. The deadline for agencies to have their existing cloud computing solutions assessed against the Federal Risk and Authorization Management Program, or FedRAMP is June 5, 2014 Read more about this in this article on NextGov. ( To help you with your preparations for FedRAMP, ITdojo has courses running in Northern, VA every other month. To learn more about this Cloud Security and FedRAMP course, visit this page.

Read More

DoD (Finally) Begins Transition to RMF

Posted by:Admin | Posted on: April 11th, 2014 | 0 Comments

By Lon J. Berman, CISSP The wait is over! RIP DIACAP!! At long last, DoD has announced the start of transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies … including DoD, the intelligence community and all “civil” departments/agencies … into a “unified information security framework.” Two key documents were signed and released by DoD Chief Information Officer Teresa Takai in March, 2014:
  • New DoD Instruction (DoDI) 8500.01, replacing DoD Directive (DoDD) 8500.1. The title has been changed from Information Assurance to Cybersecurity.
  • Revised DoD Instruction (DoDI) 8510.01; title changed from DIACAP to Risk Management Framework (RMF) for DoD Information Technology (IT).
So far, so good ... but wait a minute! What about DoDI 8500.2? For those new to the process, that’s the document that contains all the “IA Controls” (security requirements) with which DoD systems are required to comply. Wouldn’t that also need to be revised to fit into the new process? Well, the short answer is there will be no revised DoDI 8500.2 — DoD has decided to simply rescind it. So how exactly is DoD going to implement a brand new information security framework without specifying requirements? It’s easy—they’ve decided not to try and reinvent the wheel, but rather to leverage the extensive work of NIST, the National Institute of Standards and Technology, and CNSS, the Committee on National Security Systems. A few of the key NIST and CNSS publications that are being “adopted” by DoD are:
  • NIST Special Publication (SP) 800-53, Revision 4. This document contains an extensive “catalog” of Security Controls (requirements).
  • NIST SP 800-37, Revision 1. This is the definitive Risk Management Framework document, describing the roles and responsibilities, life cycle process, etc.
  • CNSS Instruction (CNSSI) 1253. This publication describes the methodology that DoD will use for categorizing systems and selecting security controls.
  • NIST SP 800-53A Revision 2 . This document contains recommended assessment objectives and procedures for each of the Security Controls.
The change from DIACAP to RMF will eventually affect every DoD information system, including “DoD owned and operated” systems as well as processes and systems operated by industry partners on behalf of DoD. A phased approach is being adopted, such that every system will be fully transitioned in time for its next re-authorization (reaccreditation) date. Now that the official publications are on the ground, there is plenty of work still to be done by DoD to support the transition. The Knowledge Service website is in the process of being updated with RMF information, including the all-important assessment procedures for evaluating compliance with each of the controls. Also on the horizon is a major overhaul of the eMass tool to support the RMF workflow, NIST security control set, etc. ITdojo now has three courses to help with the transition if your organization has not already made it.  They are: Risk Management Framework (RMF) for DoD IT Training Risk Management Framework (RMF) for FISMA IT Training Information Security Continuous Monitoring (ISCM) Training  

Read More

Top 10 Things that Will Be Staying the Same with RMF

Posted by:Admin | Posted on: April 10th, 2014 | 0 Comments

By Lon J. Berman, CISSP As DoD begins its transition from DIACAP to Risk Management Framework for DoD IT, everyone is naturally focused on all the things that will be changing—everything from terminology to documentation to security controls. Thankfully, not everything is changing! We thought it would be interesting to take a look at some of the things that will not be changing with the advent of RMF in DoD. 1. DoDI 8510.01. DoD Instruction 8510.01 will remain the governing document for the security life cycle process. It is currently being revised to reflect RMF rather than DIACAP as the “official” DoD process. 2. DIACAP Knowledge Service. The DIACAP Knowledge Service will remain the authoritative source for security-related information and guidance. RMF-oriented content is currently being added. 3. Major Change. Systems will still need to be reauthorized (reaccredited) when a "major change" to the system takes place. The individual who signed the Authority to Operate (ATO) will still have the final say on whether or not a proposed change is "major". 4. Contractor owned/Operated Systems. IT-based processes "outsourced" to contractor-owned systems will still require ATO. 5. Independent Assessment. DoD systems will still require independent assessment (in accordance with DoD Component policies and procedures) in order to receive ATO. 6. System Registration. Information systems will be still need to be registered with the IA program, in accordance with DoD Component policies and procedures. 7. Plan of Action and Milestones (POA&M). POA&Ms will continue to be used to report and track security weaknesses of information systems, and to manage corrective actions. 8. Configuration Standards. DISA Security Technical Implementation Guides (STIGs) will continue to be the official DoD standards for configuring operating systems, databases, web servers, network devices, etc.. 9. Training and Certification. DoD Instruction 8570.1 (or its planned successor) will still be in force. DoD employees and contractors having any sort of IA responsibility will still be required to hold appropriate professional certification. 10. Approval to Operate (ATO). All information systems owned by DoD, or operated on behalf of DoD, will still need ATO from a senior DoD official.The process leading to ATO will be changing (RMF rather than DIACAP). Even the title of the person signing it will change (Authorizing Official rather than DAA), but the fundamental concept of risk-based decision (“balancing” or residual risk against mission need) will be unchanged. If you are interested in learning more about our RMF for DoD IT training course, please click here.

Read More

RMF Documents and Resources

Posted by:Admin | Posted on: April 9th, 2014 | 0 Comments

For your convenience, ITdojo has assembled the following collection of RMF-related government publications. Please note these are UNCLASSIFIED documents with no restrictions on usage or distribution.

Laws and Executive Branch Policies

Federal Information Security Management Act (FISMA)  OMB Circular A-130 Appendix III (Security of Federal Information Systems) 

Federal Information Processing Standard (FIPS) Publications

FIPS 199 (Security Categorization)  FIPS 200 (Minimum Security Controls) 

NIST Special Publications (SP)

SP 800-18 (Security Plans)  SP 800-30 (Risk Assessment)  SP 800-34 (Contingency Planning)  SP 800-37 (Risk Management Framework)  SP 800-39 (Organizational Risk Management)  SP 800-53 (Security Controls)  SP 800-53A (Security Controls Assessment)  SP 800-59 (National Security Systems)  SP 800-60 (Security Categorization), Volume 1  SP 800-60 (Security Categorization), Volume 2  SP 800-61 (Incident Response Planning)  SP 800-137 (Continuous Monitoring) 

Committee on National Security Systems (CNSS) Publications

CNSSP 22 (Risk Management Policy for NSS)  CNSSI 1253 (Security Categorization and Control Selection for NSS)  CNSSI 4009 (Information Assurance Glossary) 

Department of Defense Instructions (DoDI)

DoDI 8500.01 (Cybersecurity) New DoDI 8510.01 (RMF for DoD IT) New

Intelligence Community (IC) Publications

ICD 503 (Risk Management, Certification and Accreditation) 

Read More

Top Ten—What’s “new” in RMF for DoD IT?

Posted by:Admin | Posted on: April 8th, 2014 | 0 Comments

By Lon J. Berman, CISSP Now that DoD has “officially” begun its adoption of RMF, let’s take a look at some of the things that are “new”! 10. Cybersecurity. The word “Cybersecurity” has been part of the government IT security discussion for several years, going back to a Presidential Directive in 2008. DoD has now adopted the term Cybersecurity in place of Information Assurance. 9. A&A. With the adoption of RMF, the term “Assessment” will replace “Certification”, and “Authorization” will replace “Accreditation”. Certification and Accreditation (C&A), which has been a cornerstone of DoD IT security for 20 years or more, will henceforth be known as Assessment and Authorization (A&A). 8. Types of DoD IT. DoD now views the overall IT landscape as a collection of Major Applications, Enclaves, Platform IT (PIT), IT Services, and Products. PIT is further subdivided into PIT Systems and PIT. Some of these require assessment and authorization, while others require only assessment. 7. Categorization. DoD will now categorize systems as High, Moderate or Low for each of the three security objectives (Confidentiality, Integrity, Availability). This is in accordance with CNSS Instruction 1253, and replaces the Mission Assurance Category (MAC) and Confidentiality Level (CL). 6. Authorizing Official. Senior DoD officials responsible for accepting risk and authorizing systems for operation will henceforth be known as Authorizing Official (AO) rather than Designated Approving Authority (DAA). 5. Old titles make a comeback. IA Managers and IA Officers will once again be referred to as Information System Security Managers/Officers (ISSM/ISSO). Many of us have been in the field long enough to remember when those were the titles of choice. 4. Security Plan. A security plan will be required of every DoD IT or PIT System, including, at a minimum, an overview of the security requirements for the system and the security controls in place or planned to meet those requirements. 3. Security Control Assessor (SCA). This is the name now given to the individual or organization responsible for independently testing the security controls of DoD IT systems. 2. Continuous Monitoring. RMF for DoD IT places greater emphasis on the process for ongoing monitoring of security posture. System Owners will be required to develop and receive approval for monitoring plans early in the life cycle. In some cases, systems with robust continuous monitoring programs will be eligible for “ongoing authorization” in lieu of periodic re-authorization. 1. THE NAME. Risk Management Framework (RMF) for DoD Information Technology (IT) ... “RMF for DoD IT” … is the name DoD has given to this new process for managing life cycle risk, replacing DoD Information Assurance Certification and Accreditation Process (DIACAP). This is significant because there has been so much speculation and rumor for so long, and several other names, like DIARMF and Cybersecurity RMF, have been tossed about. That’s all in the past now … “RMF for DoD IT” it is! It doesn’t exactly roll off the tongue like DIACAP (or its predecessor DITSCAP) did, but we’ll all get used to it. More than likely it will come to be called just “RMF” for short. ITdojo offers a comprehensive, 4 day instructor-led seminar that gets you up to speed on all things RMF.  If you would like more information on this training program, please visit our RMF for DoD IT page.

Read More

Continuous Monitoring—It’s Not (Just) About The Tools

Posted by:Admin | Posted on: April 7th, 2014 | 0 Comments

by Annette Leonard Continuous Monitoring has long been recognized as a critical element in maintaining a strong security posture for any IT system.  In spite of this, the risk management processes used in most federal agencies have traditionally been centered around mountains of paperwork, along with "point-in-time" assessments and approvals.  With the ascension of RMF, continuous monitoring is finally getting the "emphasis" it deserves. NIST Security Control Act CA-7 lays down the fundamental requirement for all information systems to be covered by a continous monitoring program: "The organization establishes a continuous monitoring strategy and implements a program that includes:
  • A configuration management process for the information system and its constituent components
  • A determination of the security impact of changes to the information system and its environment
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy
  • Reporting the security state of the information system to appropriate organizational officials [at an organization-defined frequency]"
While automated tools are necessary to the organization's continuous monitoring program, they are not sufficient. Automation will only provide meaningful, actionable results when it is employed in the context of a comprehensive strategy and well though out implementation program. NIST Special Publication 800-137 is an excellent resource for further information. ITdojo provides an Information Security Continuous Monitoring training program that thoroughly covers the theory and practice of continuous monitoring.  This training program is both on-site and online (instructor-led) and is available for registration now! Relevant to this, we also offer two Risk Management Framework  courses.  They are: If you would like more information about these courses, please contact today!

Read More