In today’s tech-driven world, safeguarding sensitive data and critical systems is a top priority, especially for government agencies, including the Department of Defense (DoD). They handle vast amounts of sensitive information, making the Risk Management Framework (RMF) an essential part of their cybersecurity strategy. In this article, we’ll take a dive into RMF, what it’s…
BY KATHRYN DAILY, CISSP, CGRC (FORMERLY CAP), RDRP NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53) provides a set of security and privacy controls for information systems and organizations. It was initially developed by NIST thanks to the E-Government Act of 2002, or more specifically, the Federal Information Security Management Act…
BY LON J. BERMAN, CISSP, RDRP JULY 2023, VOLUME 15, ISSUE 3 When it comes to the future of RMF, rumors abound but truth is hard to come by. In this article, we’ll take a look at some of the speculations and see if there’s any truth to them. Let’s start with an oldie. “DoD…
By Lon J. Berman, CISSP, RDRP Welcome to 2022! It’s now been well over a year since the release of NIST SP 800-53 Rev 5, yet Rev 4 remains the DoD standard. When DoD first adopted RMF … back in 2014! … they expressed their commitment to “keeping up” with the NIST publications. So why…
By Kathryn Daily, CISSP, CAP, RDRP Recently our regional grocery store chain notified their employees and customers that they had a data breach involving some HR data and pharmacy records. The breach was caused by a vulnerability in the Accellion file sharing system which the grocery chain immediately stopped using. As I was perusing the…
By Lon J. Berman, CISSP, RDRP More than ten years ago, RMF came into existence with the intention of becoming the “unified information security framework for the federal government”. With widespread adoption of RMF throughout most federal civil agencies, DoD components and intelligence community agencies, it is safe to say that goal has been met.…
By Philip D. Schall, Ph.D., CISSP, RDRP At IT Dojo, we often have conversations with our students on the topic of taking formal classroom RMF training. In the modern digital landscape, we are able to learn about and complete projects we never thought possible twenty years ago through free online resources. The internet has enabled…
Below is a list of upcoming Guaranteed to Run Cisco classes running in Live Remote Online format that are coming up. If you are interested, please reach out to Nick@itdojo.com. Details and pricing provided upon request. CLCOR: Implementing Cisco Collaboration Core Technologies 02-22 to 02-26 ENWLSD: Designing Cisco Enterprise Wireless Networks 03-01 to 03-05 SDWADV: Cisco SD-WAN…
By Lon J. Berman, CISSP, RDRP Q. The Risk Management Framework (RMF) life cycle is comprised of how many steps? A. Oh, that’s easy, it’s six. Well … not so fast. As you probably know, the Risk Management Framework (RMF) has always been described as a six step process, to wit: 1-Categorize, 2- Select, 3-Implement,…
By Kathryn Daily, CISSP, CAP, RDRP Back in September of last year (2020), NIST finally published the final version of Special Publication 800-53 Revision 5. Most notably, this revision incorporated privacy considerations in the security controls themselves rather than having separate control families for the privacy controls (e.g., AR, AP, IP, etc.). This is a…
By Marilyn Fritz, CISSP, CISA, ITIL, PMP The new DFARS Interim Rule that went into effect November 30, 2020 is a game changer for any entities that have or are pursuing Defense Industrial Base (DIB) contracts or subcontracts. Prior to the new Interim Rule, contractors and sub-contractors could self-attest that they met DoD cybersecurity requirements…
By Kathryn Daily, CISSP, CAP, RDRP So by now, I’m sure you’ve seen a ton of articles on the Cybersecurity Maturity Model Certification (CMMC) initiative. A lot of information has been released but there are still a lot of unknowns. What We Know We know that it’s mandatory for all contractors who wish to do…
Dear Dr. RMF, I work in an Army program and I feel like I am getting the hang of RMF, but when the heck do I schedule an independent assessment (SCA-V)? Show Me the SCA-V Dear Show Me the SCA-V, When determining when to schedule a SCA-V assessment you’ll want to take several things into…
By Kathryn Daily, CISSP, CAP, RDRP So, in the last edition of the newsletter I wrote about the need for verification of NIST 171 compliance from DoD contractors, suppliers and vendors who process controlled unclassified information (CUI). Well, the DoD sure delivered on that request. A mere days after the last article was published, DoD…
By Lon J. Berman, CISSP, RDRP Just when folks were beginning to get somewhat comfortable … or, at least, familiar … with the Risk Management Framework (RMF), along come our friends at the National Institute of Standards and Technology (NIST) throwing another framework our way! The Cybersecurity Framework (CSF) has actually been in development since…
By Lon J Berman, CISSP, RDRP The Enterprise Mission Assurance Support Service (eMASS) is a DoD system that serves as an information repository and workflow manager for the Risk Management Framework (RMF) process. The history of eMASS can be traced back to a project called Digital DITSCAP at the Defense Logistics Agency (DLA) in the…
We constantly get asked “Where is the best place to find CISSP practice questions?” and “What sort of resources can you share with me to help me prepare for the CISSP?” In an effort to consolidate all of the answers to these questions, we have put together this list of links. As we find new…
By Kathryn Daily, CISSP, CAP, RDRP Back in September 2018, NIST announced their plans to develop a data privacy framework based off their cybersecurity framework that has been extremely successful in both government and private sector. NIST has worked with industry through webinars and workshops and incorporated both public and private sector feedback for the…
By P. Devon Schall, PhD, CISSP, RDRP Over the past 12 months, I have attended a handful of DoD cybersecurity conferences with the goal of convincing the DoD community that RMF training is a key solution in combatting the perceived RMF crisis. These conferences include the Air Force Information Technology & Cyberpower Conference (AFITC), the…
By Lon J. Berman CISSP, RDRP CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application”. The typical example…
Dear Dr. RMF, Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management Framework (RMF) controls. Organizations have deployed technologies like eMASS, XACTA, and RSA to manage the workflow and documentation for the RMF for their systems. Yet, there is confusion about…
“How much information is in a message?” Huh??? That sentence, in the context of typical use of those words (information & message), doesn’t immediately make sense to most people. Well, I know it didn’t make sense to me, at least. So let me try asking it in a seemingly more complicated but different way: “If…
By P.Devon Schall Ph.D., RDRP Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF. Dear Doctor RMF, We just received our report from Alex, our independent assessor team lead, and…
By P. Devon Schall, Ph.D., CISSP, RDRP Over the past year, I have conducted research on the relationship between the receipt of formalized RMF training and perceptions of RMF effectiveness, sustainability, and commitment in RMF practitioners. I am very pleased to announce, I have completed the study and have some interesting results to report. This…
By Kathryn Daily, CISSP, RDRP NIST has officially released NIST 800-37 Rev 2 and dubbed it as “RMF 2.0.” The framework has been updated to include both cybersecurity and privacy to be key for an authorization decision. “RMF 2.0 gives federal agencies a very powerful tool to manage both security and privacy risks from a…
By Lon J. Berman CISSP, RDRP All of us who have spent time working with RMF have come to understand just what a time-consuming and resource-intensive process it can be. As bad as that may be, it is made even worse when the same application or system ends up going through the RMF process multiple…
Training Overview Security Controls Assessment Workshop provides a current and well-developed approach to evaluation and testing of security controls to prove they are functioning correctly in today’s IT systems. This course shows you how to evaluate, examine, and test installed security controls in the world of threats and potential breach actions surrounding all industries and…
By Lon J. Berman CISSP, RDRP Thanks to the work of the Joint Task Force, RMF is now the official information security life cycle process across all three “segments” of the Executive Branch, i.e., DoD, federal civil agencies, and the intelligence community. It’s now been 4 ½ years since DoD officially “adopted” RMF (DoDI 8510.01,…
By Kathryn Daily, CISSP, CAP, RDRP NIST has announced the development of a Privacy Framework. The framework is needed to ensure the ability to design, operate, or use technologies in ways that are observant of various privacy needs in a progressively connected and complicated environment. It is expected to help manage risk by protecting people’s…
By Lon J. Berman CISSP, RDRP The National Institute of Standards and Technology (NIST) is in the process of preparing Special Publication (SP) 800-37 Rev 2 for publication. As you may know, NIST SP 800-37 is the publication that defines the Risk Management Framework (RMF) roles, responsibilities and life cycle process. A review of the…
By Kathryn Daily, CISSP, RDRP I’m sure by now you’ve at least familiarized yourself with NIST 800- 171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.” What wasn’t made clear was how DoD will evaluate a contractor’s System Security Plan (SSP). In May, DoD released draft DoD Guidance for Reviewing System Security Plans and…
Interesting press release just put out stating that NIST is updating the RMF to incorporate privacy considerations. Full release can be found here.
From May 7 – 10, 2018, IT Dojo will be bringing RMF for DoD IT training to Pensacola, FL! Our last course that ran there a few months ago was in such high demand that we decided to come back! This instructor-led course will get you up to speed on what to expect as you…
By P. Devon Schall, CISSP, RDRP During a recent RMF literature search, I came across an interesting article titled “RMF Applied to Modern Vehicles”. The article was published by Charlie McCarthy and Kevin Harnett in 2014 and sponsored by the National Highway Traffic Safety Administration (NHTSA). The overall goal of the research was to collect…
By Kathryn Daily, CISSP, RDRP NIST 800-53, and specifically Security Control CM-6, requires an organization to a. Establish and document configuration settings for information technology products employed within the information system using [Assignment: organizationdefined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implement the configuration settings; c. Identify, document,…
By Lon J. Berman, CISSP, RDRP at BAI. The Defense Security Service (DSS) serves as an interface between the government and cleared industry. DSS administers and implements the National Industrial Security Program (NISP) by providing oversight and assistance to cleared contractor facilities to ensure protection of classified information. In short, if your company maintains cleared…
By P. Devon Schall, CISSP, RDRP With the addition of Step 0 to the RMF life cycle, we decided to make this month’s top ten list based on preparation. Preparation is often one of the most overlooked aspects of RMF. The road to an ATO is often paved with unexpected setbacks, these setbacks can be…
By Kathryn Daily, CISSP, RDRP If you heard a whooshing sound on New Years Eve, that was probably the deadline for compliance with NIST 171 flying by. A lot of you might be asking “What is NIST 171?” NIST 171 is a set of requirements documented in the NIST Special Publication 800-171 (Protecting Controlled Unclassified…
By P. Devon Schall, CISSP, RDRP I was reading an article recently about Cybersecurity Framework (CSF) and the continued confusion with Risk Management Framework (RMF). In the research, the consensus was the majority of government IT professionals don’t fully understand CSF or RMF and find it easy to confuse the two. As a follow up…
By P. Devon Schall, CISSP, RDRP As I work with clients on assessing their posture with the RMF control families, I am consistently amazed at how many businesses see cybersecurity as an afterthought. More and more often I conclude that many small to medium sized DoD contractors would not implement cybersecurity controls unless required to.…
By Kathryn Daily, CISSP, RDRP In July 2017, SolarWinds conducted an online survey via Market Connections aimed at approximately 200 federal government IT decision makers and influencers in order to determine challenges faced by IT professionals to prevent security threats, quantify sources and types of IT threats, determine elements that aid successful management of risk,…
By Lon J. Berman, CISSP, RDRP By federal law, an information system will be designated as a National Security System (NSS) in accordance with the following definition: The term “national security system” means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other…
This article was written by Kathryn M. Daily, CISSP, RDRP of BAI Information Security. In a previous article, security control inheritance from an external system hosted at a departmental or agency data center was discussed. In this article, we are going to discuss inheritance from a FedRAMP Approved Cloud Service Provider (CSP) such as Amazon…
This article was written by Lon Berman, CISSP, RDRP of BAI Information Security Step 6 of the Risk Management Framework (RMF) is entitled “Monitor Security Controls”. Many security professionals would argue it is the most important step, since monitoring is what transforms RMF from yet another “point in time” evaluation to a true life cycle…
Article Written By P. Devon Schall, CISSP, of BAI Information Security. I recently attended the Cybersecurity Framework (CSF) Workshop on May 16-17 at NIST in Gaithersburg, Maryland. The workshop proved to be informative in relation to how government and industry are implementing the guidance issued by President Obama in Executive Order 13636 outlining the responsibilities…
By Lon Berman, CISSP of BAI Information Security As you probably know, the “catalog” of security controls used in RMF is derived from NIST Special Publication (SP) 800- 53 Rev 4. What you may not know is that NIST is hard at work on SP 800-53 Rev 5. The reaction to this news on the…
By Lon J. Berman, CISSP of BAI Information Security The Enterprise Mission Assurance Support Service, or eMASS, is a web-based Government off-the-shelf (GOTS) solution that automates a broad range of services for comprehensive, fully integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) package reports. If you’re…
We knew this day was coming. On a long enough timeline, the survival rate for every algorithm drops to zero. Yes, I’m paraphrasing Tyler Durden. It’s slightly less amazing than finding a unicorn in the woods and I don’t think many will remember where they were and what they were doing on the day they…
By Kathryn M. Daily, CISSP BAI Information Security In this issue we will shine the spotlight on the Awareness and Training (AT) family of security controls. We’ll show you how the controls dictate the types and frequencies of training that organizations must provide. You’ll also learn about the extent to which existing DoD publications provide…
By Lon J. Berman, CISSP BAI Information Security Supporting documentation (aka. artifacts) is key to providing evidence of compliance with security controls. Previously in this Newsletter we have spent some time describing the three fundamental classes of RMF documentation, to wit: Policy. Policy documents describe what the organization does to provide for confidentiality, integrity and…
My time in the IT world is closer to three decades than two. And anyone else who has been around half as long can testify to the amount of change that has occurred. It’s more than impressive; it’s a shock. Across the years I have more than once likened keeping up with technology to treading…
Note: This post is about the Routing and Switching CCNA exam, not the other specializations. The first time I ever took the CCNA exam was somewhere during the year 2000. That’s bordering on seventeen years ago. Not sure when I got so old… I often tell my students that the CCNA exam back in those…
In my moderately cynical view, vendor certification exists for one reason: To enable vendors to sell more stuff. Cisco, Microsoft, Amazon and VMWare (and all vendors, really) need people to be certified in the use of their products because it enables their salespeople to be able to come into a prospective customer’s office and say,…
By Lon Berman, CISSP of BAI Information Security Like any complex process, RMF is not without its share of potential pitfalls. Now that we have the benefit of some more RMF projects under our belt, we thought it was time for a “revisited edition” of the RMF Top Ten Pitfalls. 10. Assuming system boundaries have…
By Lon Berman, CISSP of BAI Information Security If you ask most system owners about the desired outcome of their RMF efforts, they will readily tell you “we are expecting the Authorizing Official (AO) to sign an Authorization to Operate (ATO) for our system.” But how much do they really know about what goes into…
By Kathryn M. Daily, CISSP of BAI Information Security In this issue we will shine the spotlight on the Contingency Planning (CP) family of security controls. First, we’ll show you how the controls dictate the subject areas that need to be addressed in the organization/system’s disaster recovery and business continuity plans. Second, you’ll learn how…
Attention information assurance and cyber security professionals in Hampton Roads! IT Dojo is running an RMF for DoD IT training course in the Virginia Beach/Norfolk area July 11 – 14. Seating is limited, but this course is guaranteed to run! We have delivered this course to hundreds of individuals throughout the country and the response…
By Lon J. Berman, CISSP BAI Information Security I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and received a full three year Authorization to Operate (ATO). In lieu of … or in addition to … a victory party, the team decided it would be productive to…
By Lon J. Berman, CISSP at BAI Information Security Let’s take a look at some strategies for reviewing the Security Control Baseline and creating “action plans” for implementation. The “Raw Materials” An effective review starts with the right materials. You’ll need two spreadsheets to work with: Security Controls Assessment Procedures (CCIs) Using the Security Controls…
Picture this. You’ve just completed your RMF training with IT Dojo. You spent four days in class learning and doing. So much information and guidance has come your way that at times you felt like you were drinking from a fire hose! Now, at last, you’re sitting in the relative peace and quiet of your…
By Kathryn M. Farrish, CISSP BAI Information Security Security Control Inheritance is one of the most powerful tools available to facilitate the RMF process. Unfortunately, it is not always very well understood, and, as a result, is often misapplied. CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application…
Apple uses a variety of scans for wireless LAN/physical location information. There are Preferred Network Offload (PNO) Scans, Enhanced Preferred Network Offload (ePNO) Scans, Location Scans and Auto Join Scans. Each of these scans, while mostly identical in frame format, are used at different times and for different reasons by the device. In order to…
I recently had a client who had a Security+ certification that was about to expire and he asked me a question that I wanted to share with our readers. If my Security+ certification is about to expire, can I just sit in another Security+ course and earn the CEUs that I need in order to…
By Kathryn M. Farrish, CISSP at BAI Inc. One of the primary goals of the RMF life cycle is for a system to achieve and maintain compliance with a baseline of Security Controls in accordance with NIST SP 800-53 and CNSSI 1253. Security controls provide specific safeguards in numerous subject areas (aka. “families”), including access…
Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline. Step 1: Create Initial Control Set Your System Categorization defines the initial set of…
By Annette Leonard The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization to Operate (ATO), the AO is obviously a key player. Ideally, the AO’s role is not limited to that final signature—he/she should be an active participant in the process from…
By Kathryn M. Farrish, CISSP eMASS, short for Enterprise Mission Assurance Support Service, is a comprehensive tool provided by DoD for managing the RMF life cycle. Among its well-known features and capabilities are generating security control baselines, managing RMF workflow, maintaining a repository of documentation artifacts, accepting system owner provided “self assessment” of security control…
With all the renewed furor over the government attempting to force Apple to backdoor iOS devices so the FBI can inspect the phone of the San Bernardino terrorists I found myself with a usual set of emotions. I have always been an advocate of limited government involvement in the lives of private citizens (i.e. approaching…
Disclosure: I am one of the world’s biggest fans of, and greatest advocates for, IPv6. In the words of rapper 50 Cent, “I love it like a fat kid loves cake.” Anyone I have ever been able to corner in a room knows this to be true. That being said… I just finished reading [yet…
When is the last time you sat down at your desk and really went full-geek on something just because you found it fascinating? No, not because you needed to know it for work or because you wanted to build up your skill set for some future position; I’m talking about full-on burial in a topic…
Before we start, please be sure to download ITdojo’s password entropy worksheet (MS Excel, OS X Numbers, LibreOffice Calc compatible). It’s a nice companion to this post and a useful tool later down the road. Password Entropy Calculator It’s mandated by policy. It’s a best practice for sure. And it’s nothing new to virtually all…
I have been insanely busy over the past month so I haven’t been spending as much time practicing python as I would have liked. About a month ago, in my continued obsession with the beauty of mathematics, I gave myself the task of figuring out how to generate the Fibonacci Sequence using python. I knew,…
By Kathryn M. Farrish, CISSP Security Technical Implementation Guides (STIGs) are published periodically by the Defense Information Systems Agency (DISA). STIGs contain very detailed lists of security settings for commonly used IT system components, such as operating systems, database management systems, web servers, network devices, etc. Compliance with applicable STIGs is one of the key…
Article by Annette Leonard The Defense Information Systems Agency (DISA) is responsible for developing security guidance for configuring DoD information systems. An extensive collection of Security Technical Implementation Guides (STIGs) is published at http:// iase.disa.mil/stigs/Pages/index.aspx. STIGs contain detailed configuration guidance (settings) for commonly-used software products and other system components. Most of these documents are updated…
Article by Kathryn Farrish, CISSP Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM): Edward (System Owner):“Now that we’ve completed our System Categorization, have you built the Security Control Baseline for our system?” Christine (ISSM): “Yes, sir, I have. Our system has been categorized as “Moderate -Moderate-Moderate (M-M-M)”.…
In this blog post Lon Berman, CISSP talks about the sub-steps of the first RMF step, System Categorization. Step 1: Identify Information Types The first and perhaps most important step in the system categorization process is the determination of the “information types” that are stored and processed by the system. So what exactly is an…
As I grow in years the amount of time that passes is more difficult to perceive. The fact that I have been a CISSP for 13 years (October 2002) is cool but it also makes me realize, once again, that I’m no longer a spring chicken. It also puts me on high-alert because the older…
We are pleased to announce that we are able to now offer our clients discounted exam vouchers for CompTIA exams. The discounts are anywhere from 8 – 12% off of retail pricing. We can save you money on A+, Network+, Security+, CASP, Server+, Storage+, Project+, Linux+, Mobility+, CDIA+, CTT+, Cloud Essentials, Cloud+, Healthcare IT, and…
I just finished reading Bruce Schneier’s blog entry, titled “The Doxing Trend”. Let me start by writing that I am usually a big fan of Mr. Schneier. I look forward to his newsletter and I have tremendous respect for his technical intelligence. But as I read his doxing article I couldn’t help but wonder what…
Why CASP Exists: A Slightly Cynical View (and no, this doesn’t mean I’m advocating the CISSP) In the world where DoD 8570.01-M (DoDD 8140) is relevant the CISSP has long been a staple for those seeking IAT Level III, IAM Level II/Level III and IASAE I and IASAE II roles. CompTIA’s CASP exam endeavors to…
When it comes to getting your CISSP certification, I have one important word for you: STUDY. Study in the car (preferably not while driving), study at work (taking care to not get fired), study at home, study everywhere you get a free moment. Study before training, study after training. You really cannot study too much…
I have a daughter in 3rd grade who started the year off with reviews of the addition and subtraction she learned last year. Fortunately, her school is private and doesn’t do any of the dumb Common Core math that I have seen other parents complaining about. My daughter understands the concepts of addition and subtraction…
Very early on in high school I remember my father sitting me down and saying, “When you get to college nobody is ever going to ask you what your GPA was in high school. And after graduating from college nobody is ever going to ask you what your grades were. All they are going to…
Mostly because of their importance in some types of asymmetric cryptography (Diffie-Hellman, RSA) I have a fascination with prime numbers. I enjoy occasionally checking on the latest discovery of ever larger prime numbers. As I write the largest known prime has more than 17, 425, 170 digits in it. That’s a big-ass number! Many…
In my last post I offered two different examples for generating prime numbers using python. The first script in that post generated every prime (except 2) from 1 to 9,999,999 and the second script generated every prime in a user-supplied range. It’s neat to be able to generate a bunch of prime numbers but what…
Perhaps just a step up from writing your first “Hello World” script. I wrote [yet another] prime number generator. I’m sure this can be done in a variety of ways but I used what I currently know to figure out how to determine if a number is prime. Here’s the code: #!/usr/bin/env python print “2…
I have been teaching myself Python for more than a few years. To be clear, that means that I think about python for about a week, do a lot of reading, stay up late trying some real basic code, get distracted by other shiny things, allow weeks or months to go by, and forget almost…
You know who has no say-so in how wireless LAN keys are shared in Microsoft’s new WiFi Sense feature? The actual owner of the wireless LAN. The decision to share credentials is in the power of the connecting user, not the WLAN owner. Stupid much? I have several thousand “friends” on Facebook and more than…
By Annette Leonard Many information security incidents are newsworthy, especially when they involve compromise of personal, financial and/or medical information. Here is our “Top Ten” list of data breaches that have made the news over the past few years. While some of these compromises may have resulted from very sophisticated attack methods, others were traceable to basic lapses in good security practices—the very things the…
By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…
The most common question we get in regards to our RMF for DoD IT training course is this: How comprehensive is your RMF for DOD IT course? The reason I ask is that the Navy is still trying to wrap their head around RMF and how to integrate it both from an acquisitions and operational…
By Lon J. Berman, CISSP According to NIST Special Publication (SP) 800-53, an overlay is a “fully specified set of security controls, control enhancements and supplemental guidance derived from the application of tailoring guidance to security control baselines”. The intent is to streamline the process of developing a security control set for specific communities of interest. The Committee on National Security Systems (CNSS) website, www.cnss.gov,…
By Lon J. Berman, CISSP The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not sure how to get down there, but, seeing an open door, assumes it is the stairway and steps through. Unfortunately the door turns out to be an…
TrainPlus! POST TRAINING SUPPORT RMF education doesn’t just stop when the training class is over. That’s why we offer TrainPlus!, a RMF Q&A follow-up session. Designed specifically for students who’ve previously attended an IT Dojo RMF training class, TrainPlus! is delivered via a monthly, 60-minute, conference call at no charge. Whether the training experience has been online, onsite or…
You’ve earned your CISSP or your Security+ certification…now you need to maintain it. No one wants to have to take those beastly exams again! But how do you do that without spending a lot of money? Sure you could take other classes (and will need to to remain relevant, of course), but sometimes there isn’t…
We have just added a course date for the Information Security Continuous Monitoring training that is coming up this fall (September 22 – 24, 2015). Information Security Continuous Monitoring (three days) covers roles and responsibilities, establishment and implementation of the ISCM strategy, analysis and reporting of findings, and program review in accordance with NIST Special Publication…
IT Dojo has ITIL Courses Available in Hampton Roads and Beyond! The IT Infrastructure Library® (ITIL®) is a set of best practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is published as a series of five core publications, each covering an ITSM lifecycle stage. ITIL…
As many of you are already aware, NIST offers free online Risk Management Framework training as a resource on their website. While this is a great resource containing excellent information and should be included in your learning plan, it is not enough when it comes to preparing yourself and your staff for the transition from DIACAP…
By Kathryn M. Farrish, CISSP One of the more recent information security innovations is the Control Correlation Identifier, or CCI. Each CCI provides a standard identifier and description for “singular, actionable statements” that comprise a security control or security best practice. The purpose of CCIs is to allow a high level statement made in a…
By Lon J. Berman, CISSP The Beatles were comprised of how many musicians? Easy, right? They were called the “Fab Four”, so there were definitely 4. Now Google “the fifth Beatle” and see what you get. Ditto for “sixth sense”. When I eat at a Thai restaurant and the waitress asks how hot I want…
By Annette Leonard of BAI Information Security “The beginning is the most important part of the work.” ― Plato, The Republic Before rushing headlong into the RMF fray, DoD system owners should take the time to ensure they get off to a good start. Mistakes made at the beginning of the effort can be very…
By Lon J. Berman, CISSP It’s hard to believe it’s been a whole year since the publication of DoD Instruction (DoDI) 8510.01 in March of 2014, which officially began the transition from the DIACAP process and IA Controls to the Risk Management Framework (RMF) and NIST Security Controls. While there are isolated pockets of progress…
Overview In the 802.11 WLAN security world I frequently refer to pyrit as the ‘unsung hero’. Pyrit is an awesome tool that can do so much but doesn’t tend to get the recognition as more well-known tools like the aircrack-ng suite and coWPAtty. Comparing these different tools can’t really be done in an apples-to-apples fashion but…
By Lon Berman, CISSP No longer just a technical issue, instead a strategic program to manage cybersecurity risk. Targeted cyber attacks are a strategic organizational problem. Cyber attackers are more sophisticated than ever before, and it has become vitally important to understand how to manage risk and implement a continuous monitoring program. More than just…
The volume of discussion and debate surrounding so-called ‘net neutrality’ in recent days has increased dramatically. And, as usual, it is a polarizing topic. The President has weighed in on the issue, urging the FCC to explicitly deny service providers the right to rate-limit the Internet’s content. His ‘request’ has been met with a venomous…
By Lon J. Berman, CISSP of BAI, Inc. In this issue’s “Spotlight”, we’re not going to focus on any specific controls or families, but rather on a comparison of RMF controls and DIACAP controls. The majority of DoD information systems are currently categorized under DIACAP as “MAC II Sensitive” or “MAC III Sensitive”. These categorizations…
By Annette Leonard of BAI, Inc. RMF-related policies and guidance come from a plethora of sources within the seemingly-convoluted federal landscape. We believe a good understanding of these sources will be helpful as you move forward in your RMF implementation. Here, then is our “Top Ten” list of RMF policy and guidance providers. 10. US…
By Kathryn M. Farrish, CISSP of BAI, Inc. At long last, NIST has finally released a draft copy of the updated version of SP 800-53A, entitled Assessing Security and Privacy Controls in Federal Information Systems and Organizations. This is an important document in the RMF “document library” because it contains the “how to” for assessing…
By Lon Berman of BAI, Inc. Now that RMF is official DoD policy, every DoD system owner needs to begin planning their “transition” from DIACAP. In order to plan and execute the transition, system owners need the answers to three basic questions: What does the transition process entail? When do I need to begin the…
With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD has begun. DoD programs are busy planning and implementing strategies for transitioning from DIACAP to “RMF for DoD IT”. What Efforts are Taking Place in Support of the RMF Transition? Tier 1: DoD Enterprise RMF Knowledge Service –…
Like most Mac users I love the “it just works” functionality that OSX brings to the table. Microsoft die-hards hate such statements and will have their own choice words for people that say or write things like that. But I, like a lot of other people, was born and raised on Microsoft OS’ and for…
The DoD has announced that RMF for DoD IT will supercede the current DIACAP requirements. Revised DoD IA policies and procedures will not be published until later this year and there’s sure to be a “phase in” period. Why should your organization be concerned about preparing for the upcoming RMF transition now? Get Familiarized with…
By Kathryn M. Farrish, CISSP BAI Consulting Under RMF, NIST SP 800-53 is the primary source for security controls. If we compare these controls to the DoDI 8500.2 IA controls used in DIACAP, several obvious differences can be seen. Most notable among these differences is the fact that many of the NIST controls are not…
By Lon J. Berman, CISSP BAI Consulting Now that DoD has “officially” begun its adoption of “RMF for DoD IT”, let’s take a look at some of the things your organization can do to ensure a smooth transition. 10. Publications. Organizations should ensure they are using the latest copies of relevant publications. This includes not…
By Lon J. Berman, CISSP BAI Consulting With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD is now official. DoD programs big and small have gotten busy planning their strategies for transitioning from DIACAP to “RMF for DoD IT”. Let’s take a look at some of the…
As Internet connectivity goes, I live pretty far out out of town. So far, in fact, that decent high-data rate Internet solutions are completely unavailable to me. Internet access at home comes exclusively from an expensive data plan using a mobile hotspot. My hotspot device and my phone share a 40GB/month data plan that I…
We just wanted to share this great message we just got from a client that sat in our CISSP training a few months ago! I would like to thank both of you. I have now taken Security+ and the CISSP classes from you and will highly recommend your site to anyone that seeks improvement in…
We are getting excited about our upcoming Offensive Wifi and Mitigation Techniques class. Gear has started to arrive! Check out these Mark V Pineapples that showed up today! This class will be using these and other tools to demonstrate wifi attacks and how to prevent against them. If you would like more information, please give…
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here. Here is a link to a great book on RMF that we highly recommend. A ton of other information can be found on the NIST web site.
A deadline for federal agencies to adhere to the government’s baseline cloud security standards and changes to the standards themselves are coming up very soon. The deadline for agencies to have their existing cloud computing solutions assessed against the Federal Risk and Authorization Management Program, or FedRAMP is June 5, 2014 Read more about this…
By Lon J. Berman, CISSP BAI Consulting The wait is over! RIP DIACAP!! At long last, DoD has announced the start of transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies ……
By Lon J. Berman, CISSP BAI Consulting As DoD begins its transition from DIACAP to Risk Management Framework for DoD IT, everyone is naturally focused on all the things that will be changing—everything from terminology to documentation to security controls. Thankfully, not everything is changing! We thought it would be interesting to take a look…
For your convenience, ITdojo has assembled the following collection of RMF-related government publications. Please note these are UNCLASSIFIED documents with no restrictions on usage or distribution. Laws and Executive Branch Policies Federal Information Security Management Act (FISMA) OMB Circular A-130 Appendix III (Security of Federal Information Systems) Federal Information Processing Standard (FIPS) Publications FIPS 199…
By Lon J. Berman, CISSP BAI Consulting Now that DoD has “officially” begun its adoption of RMF, let’s take a look at some of the things that are “new”! 10. Cybersecurity. The word “Cybersecurity” has been part of the government IT security discussion for several years, going back to a Presidential Directive in 2008. DoD has now adopted the term Cybersecurity in…
by Annette Leonard BAI Consulting Continuous Monitoring has long been recognized as a critical element in maintaining a strong security posture for any IT system. In spite of this, the risk management processes used in most federal agencies have traditionally been centered around mountains of paperwork, along with “point-in-time” assessments and approvals. With the ascension…
On March 12, 2014 the DoD released a new policy that makes it official that the DoD Information Assurance Certification and Accreditation Process (DIACAP) is being put to bed in favor of a “new” Risk Management Framework (RMF). The news is not a revelation as it has been in the works for a few years…
By Lon J. Berman, CISSP For quite some time, it’s been well known that DoD would be making a transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies … including DoD, the intelligence community and all “civil” departments/agencies … into a…
I have started and stopped learning python an embarrassing number of times. Guess what? I’m at it again. For reasons I cannot adequately explain I have never really been able to latch on to it. I am, after all, a networking guy at heart. I have always wanted to write my own code but in…
v6 Vertex – A Brief Explanation of IPv6 Address Types ITdojo’s v6 Vertex is an ever-expanding set of quick tips and useful advice for using IPv6 in your network. People who have been using IPv4 for some time know that there are three basic address types that are commonly discussed: unicast, broadcast and multicast. When…
v6 Vertex – Quick Tips & Pointers for IPv6 Users ITdojo’s v6 Vertex is an ever-expanding set of quick tips and useful advice for using IPv6 in your network. As you begin to make use of IPv6 you will often wonder whether or not you are actually using the protocol and whether or not your…
v6 Vertex – Quick Tips & Pointers for IPv6 Users ITdojo’s v6 Vertex is an ever-expanding set of quick tips and useful advice for using IPv6 in your network. SSH use is daily and ubiquitous. In our increasingly mixed IPv4/IPv6 world we need to be conscious of the ways in which we are connecting (or…
v6 Vertex – Quick Tips & Pointers for IPv6 Users ITdojo’s v6 Vertex is an ever-expanding set of quick tips and useful advice for using IPv6 in your network. For Apple OSX Users: If you need to view the IPv6 neighbor information on your OS X powered device all you need to do is open…
As many of you know, if you received your Security+ certification after 2011, you are not eligible for lifetime Security+ status. Before that you were grandfathered in, but if your is after 2011 you are out of luck. No every 3 years you must renew your certification by either retaking the exam, or by completing…
We spotted this interesting IPv6 article this morning written by Angus Kidman at Lifehacker and wanted to share it with you. Here’s an excerpt: “We’ve known for decades that the available pool of IPv4 address was eventually going to dry up, but despite numerous warnings usage of its successor IPv6 is still minimal. Why haven’t…
Most will agree that there is no substitute for instructor-led classroom training. The interaction and dialogue between teacher and student is tough to beat. But tight budgets and even tighter business needs can make it difficult to break away from the office to attend training. You need to be better at your job but you’re…
Path MTU discovery (PMTUD) is far from a new concept to IT folk. A sending node sets the Don’t Fragment bit in its IPv4 header which is the nodes way of telling any router along the journey to the packet’s destination that it may not fragment the packet into smaller parts. The router, being an…
I’m setting IPv6 aside for a moment to comment on Ubuntu 12.10. Thanks. Ubuntu 12.10, which is scheduled to be released later this month, is adding a feature that seems to have some fellow ‘nixers up in arms. The Dash search bar which allows you to find pretty much anything on your computer is adding…
Because every interface on your system, physical or virtual, has a link local IPv6 address your system needs a little guidance as to which one to use when sending packets to link-local IPv6 addresses. From an IPv4 perspective this type of addressing is an alien concept. But to IPv6, it’s everyday life.
I can sum it up with one sentence: IPv6 costs money, it does not make it. But the long ago the world received the commandment from the ether: Migrate! Migrate …and pay for it yourself with no immediately obvious capacity for a return on the investment. And we wonder why the migration is almost 20…
I’ll wager that 99% of people who read this from home are coming to me through an IPv4 NAT device that is only a few short steps from where they are sitting. NAT and IPv4, for reasons I understand yet still loathe, just go together these days. I’ll save my un-ending rant against NAT for…
IPv6 has added many new words and ideas to the lexicon of IT professionals. One of the least expected: deprecate. The dictionary (dictionary.com) says that deprecate means “to express earnest disapproval of”, to “urge reasons against” or, oddly, “to pray for deliverance from”. In the IT world the world a thing being ‘deprecated’ is a…
In IPv6 there are four [tables | lists | data structures] used as part of the packet forwarding process (e.g. Neighbor Discovery and the Conceptual Sending Algorithm). They are: Neighbor Cache Destination Cache Prefix List Default Router List These data structures are currently defined by RFC 4861 (and previously by RFC 1970 and RFC 2461,…
Microsoft Windows OS’ have a resolver cache built into the actual OS. Most Windows admins already know this. When your Windows system performs a DNS query the results are stored by the OS and are available for use by other applications and processes running on the system. This means that you can resolve www.itdojo.com to…
Just last week (July 12, 2012), the Chief Information Officers Council released this updated version of the Roadmap Toward IPv6 Adoption for the Federal Government to help with the upcoming deadlines for September of 2012 and September 2014. It highlights the history as well as the government’s vision for IPv6. To read the original article…
The effectiveness of Security through Obscurity is closely related to the knowledge (or lack thereof) of the attacker. If someone is unaware of how a particular technology works, the data is obscured by the nature of the technology. Once some understanding is had by your adversary, however, the security vanishes. Some examples are: 1. Not…
Directive 8570.01 is an initiative that sets out to provide guidance and procedures for training, certification, and management of the Department of Defense (DoD) workforce that are in positions related to Information Assurance.
I recently read a few articles from around the the Internet regarding the debate surrounding the use of /64 or /126 prefixes on P2P links. Here is a response I left on another site: “The idea of using /126′s is little more than scar tissue from our experience with IPv4. It is the application of…
June 8th, 2011 is World IPv6 Day! If you aren’t already running IPv6 this is as good a time as any to get your systems set up to play on the IPv6 Internet. Head over to the official World IPv6 Day web site and get going. http://worldipv6day.org/
Network Address Translation – A Black Mark on IPv4’s Name Why do people use Network Address Translation? Because they always have, that’s why. “That’s the way we’ve always done it” is one of the dumbest reasons we do things. It precludes continued thought and absolves us the responsibility to think about why we are doing…
…about the IP address of your default router (default gateway in IPv4-speak). It’s tough to argue against the fact that most IPv6 addresses are not much fun to type. Being four times longer than IPv4 addresses and expressed in hexadecimal means things can get ugly on the keyboard pretty quickly. For people in the IT…
I wrote this post several years ago. By writing it I was trying to get people to begin to think about how the size of the IPv6 address space, when combined with RFID technologies, was going to change everything about how they manage their lives. I wrote this way before NetFlix began streaming content, before…
The IANA (Internet Assigned Number Authority) distributes IPv6 address to RIR’s (Regional Internet Registry’s) around the world. At the moment there are five RIR’s and each of them is responsible for allocating IPv6 address space to ISP’s (Internet Service Providers) and, in some cases, End-User organizations. Once a block of addresses is allocated to an…
The IPv6 address space is huge. On paper each IPv6 subnet (/64) supports more than 18.4 quintillion hosts (millions, billions, trillions, quadrillions and then quintillions). It’s an amazingly large number. By every conceivable measure today we can’t contemplate a situation where anything but the tiniest portion of that address space will actually be utilized. Assuming…
Most DNS servers these days are glad to resolve IPv6 addresses from clients who send the queries packaged in IPv4 packets. In the grand scheme of things the DNS servers don’t care how you sent the question, they just care about the question. And because almost everybody still relies heavily upon IPv4, most of us…
“You hear that? That is the sound of inevitability…” – Agent Smith, The Matrix. You will migrate to IPv6. It is happening. You will not be able to resist. The IANA gave out the last IPv4 allocations on 2/1/2011. There are no more. As I write, the RIR’s will completely run out of IPv4 addresses…
One very cool and highly promoted feature of IPv6 is stateless address autoconfiguration. If you don’t already know, this feature enables a node to automatically derive its IPv6 address(es) without the help of of a DHCP server. That is a big departure from the world of IPv4. In IPv4 you either had to manually configure…
The beloved UNC path name, familiar to all who administer Microsoft. After all these years there is something comfortable and familiar in the simple act of cracking open open that run line and busting out a pair of backslashes followed by the name or IP address to which I want to connect. Simple. Easy. Classic.
The Domain Internet Groper, or dig, as most of us know it, is considered by pretty much everybody in the ‘nix community to be the replacement to nslookup. And I have long been madly in like with it. Not sure why, though. nslookup has never been a disappointment. Maybe it’s because dig is newer and…
When discussing IPv6 addresses folks are often quick to say, “FE80 …that’s link-local.” And it’s true. The prefix FE80::/10 is reserved for link-local IPv6 addressing. But a lot of people overlook the fact that the 10-bit prefix only covers two of the four bits represented by the third character in the address. The ‘F’ and…
By now most of us know that the IPv6 address space is 128-bits. That’s 96-bits larger than the 32-bit IPv4 address space. By now most of us also know that the IPv4 address space has (on paper) 4,294,967,265 possible address. So just how big is the IPv6 address space? Well, it’s 2128 (2 raised to…
In an earlier post I offered some perspective on just how big the 128-bit IPv6 address space is. The ridiculousness of the number of addresses offers plenty of opportunity for levity. Earlier today I was thinking about what other ways I could show the size of the address space in a way that was meaningful.…