Top Ten—Questions for your Authorizing Official

By Annette Leonard The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization to Operate (ATO), the AO is obviously a key player. Ideally, the AO’s role is not limited to that final signature—he/she should be an active participant in the process from…

System Scans in eMASS … Think Before You Upload!

By Kathryn M. Farrish, CISSP eMASS, short for Enterprise Mission Assurance Support Service, is a comprehensive tool provided by DoD for managing the RMF life cycle. Among its well-known features and capabilities are generating security control baselines, managing RMF workflow, maintaining a repository of documentation artifacts, accepting system owner provided “self assessment” of security control…

What is STIG Viewer (and why are there two answers)?

By Kathryn M. Farrish, CISSP Security Technical Implementation Guides (STIGs) are published periodically by the Defense Information Systems Agency (DISA). STIGs contain very detailed lists of security settings for commonly used IT system components, such as operating systems, database management systems, web servers, network devices, etc. Compliance with applicable STIGs is one of the key…

The Top Ten STIGs

Article by Annette Leonard The Defense Information Systems Agency (DISA) is responsible for developing security guidance for configuring DoD information systems. An extensive collection of Security Technical Implementation Guides (STIGs) is published at http:// iase.disa.mil/stigs/Pages/index.aspx. STIGs contain detailed configuration guidance (settings) for commonly-used software products and other system components. Most of these documents are updated…

Security Control Spotlight: A Little Good News?

Article by Kathryn Farrish, CISSP Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM): Edward (System Owner):“Now that we’ve completed our System Categorization, have you built the Security Control Baseline for our system?” Christine (ISSM): “Yes, sir, I have. Our system has been categorized as “Moderate -Moderate-Moderate (M-M-M)”.…

RMF’s System Categorization: Step by Step

In this blog post Lon Berman, CISSP talks about the sub-steps of the first RMF step, System Categorization. Step 1: Identify Information Types The first and perhaps most important step in the system categorization process is the determination of the “information types” that are stored and processed by the system. So what exactly is an…

Discounted CompTIA Exam Vouchers

We are pleased to announce that we are able to now offer our clients discounted exam vouchers for CompTIA exams.  The discounts are anywhere from 8 – 12% off of retail pricing. We can save you money on A+, Network+, Security+, CASP, Server+, Storage+, Project+, Linux+, Mobility+, CDIA+, CTT+, Cloud Essentials, Cloud+, Healthcare IT, and…

CISSP Preparation Resources

When it comes to getting your CISSP certification, I have one important word for you: STUDY.  Study in the car (preferably not while driving), study at work (taking care to not get fired), study at home, study everywhere you get a free moment.  Study before training, study after training.  You really cannot study too much…

Top Ten—Data Breaches that Made the News

By Annette Leonard Many information security incidents are newsworthy, especially when they involve compromise of personal, financial and/or medical information. Here is our “Top Ten” list of data breaches that have made the news over the past few years. While some of these compromises may have resulted from very sophisticated attack methods, others were traceable to basic lapses in good security practices—the very things the…

Common Controls and Inheritance

By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable  by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…