By Kathryn M. Farrish, CISSP at BAI Inc. One of the primary goals of the RMF life cycle is for a system to achieve and maintain compliance with a baseline of Security Controls in accordance with NIST SP 800-53 and CNSSI 1253. Security controls provide specific safeguards in numerous subject areas (aka. “families”), including access…
Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline. Step 1: Create Initial Control Set Your System Categorization defines the initial set of…
By Annette Leonard The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization to Operate (ATO), the AO is obviously a key player. Ideally, the AO’s role is not limited to that final signature—he/she should be an active participant in the process from…
By Kathryn M. Farrish, CISSP eMASS, short for Enterprise Mission Assurance Support Service, is a comprehensive tool provided by DoD for managing the RMF life cycle. Among its well-known features and capabilities are generating security control baselines, managing RMF workflow, maintaining a repository of documentation artifacts, accepting system owner provided “self assessment” of security control…
With all the renewed furor over the government attempting to force Apple to backdoor iOS devices so the FBI can inspect the phone of the San Bernardino terrorists I found myself with a usual set of emotions. I have always been an advocate of limited government involvement in the lives of private citizens (i.e. approaching…
Disclosure: I am one of the world’s biggest fans of, and greatest advocates for, IPv6. In the words of rapper 50 Cent, “I love it like a fat kid loves cake.” Anyone I have ever been able to corner in a room knows this to be true. That being said… I just finished reading [yet…
When is the last time you sat down at your desk and really went full-geek on something just because you found it fascinating? No, not because you needed to know it for work or because you wanted to build up your skill set for some future position; I’m talking about full-on burial in a topic…
Before we start, please be sure to download ITdojo’s password entropy worksheet (MS Excel, OS X Numbers, LibreOffice Calc compatible). It’s a nice companion to this post and a useful tool later down the road. Password Entropy Calculator It’s mandated by policy. It’s a best practice for sure. And it’s nothing new to virtually all…