By Lon J. Berman CISSP, RDRP The National Institute of Standards and Technology (NIST) is in the process of preparing Special Publication (SP) 800-37 Rev 2 for publication. As you may know, NIST SP 800-37 is the publication that defines the Risk Management Framework (RMF) roles, responsibilities and life cycle process. A review of the…
Interesting press release just put out stating that NIST is updating the RMF to incorporate privacy considerations. Full release can be found here.
By Kathryn Daily, CISSP, RDRP If you heard a whooshing sound on New Years Eve, that was probably the deadline for compliance with NIST 171 flying by. A lot of you might be asking “What is NIST 171?” NIST 171 is a set of requirements documented in the NIST Special Publication 800-171 (Protecting Controlled Unclassified…
By Annette Leonard Many information security incidents are newsworthy, especially when they involve compromise of personal, financial and/or medical information. Here is our “Top Ten” list of data breaches that have made the news over the past few years. While some of these compromises may have resulted from very sophisticated attack methods, others were traceable to basic lapses in good security practices—the very things the…
By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…
By Lon J. Berman, CISSP According to NIST Special Publication (SP) 800-53, an overlay is a “fully specified set of security controls, control enhancements and supplemental guidance derived from the application of tailoring guidance to security control baselines”. The intent is to streamline the process of developing a security control set for specific communities of interest. The Committee on National Security Systems (CNSS) website, www.cnss.gov,…
By Lon J. Berman, CISSP The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not sure how to get down there, but, seeing an open door, assumes it is the stairway and steps through. Unfortunately the door turns out to be an…
As many of you are already aware, NIST offers free online Risk Management Framework training as a resource on their website. While this is a great resource containing excellent information and should be included in your learning plan, it is not enough when it comes to preparing yourself and your staff for the transition from DIACAP…
By Lon J. Berman, CISSP BAI Consulting With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD is now official. DoD programs big and small have gotten busy planning their strategies for transitioning from DIACAP to “RMF for DoD IT”. Let’s take a look at some of the…