IT Blog

  • Preparing for RMF Training

    Top Ten—Preparing for RMF Questions

    By P. Devon Schall, CISSP, RDRP With the addition of Step 0 to the RMF life cycle, we decided to make this month’s top ten list based on preparation. Preparation is often one of the most overlooked aspects of RMF. The road to an ATO is often paved with unexpected setbacks, these setbacks can be […]

  • NIST 171 Training

    NIST 171—What’s That?

    By Kathryn Daily, CISSP, RDRP If you heard a whooshing sound on New Years Eve, that was probably the deadline for compliance with NIST 171 flying by. A lot of you might be asking “What is NIST 171?” NIST 171 is a set of requirements documented in the NIST Special Publication 800-171 (Protecting Controlled Unclassified […]

  • Difference between RMF and CSF Training

    Top Ten—Differences Between RMF and CSF

    By P. Devon Schall, CISSP, RDRP I was reading an article recently about Cybersecurity Framework (CSF) and the continued confusion with Risk Management Framework (RMF). In the research, the consensus was the majority of government IT professionals don’t fully understand CSF or RMF and find it easy to confuse the two. As a follow up […]

  • Cybersecurity Can't Be Bolton

    Cybersecurity Can’t Be Bolt-On

    By P. Devon Schall, CISSP, RDRP As I work with clients on assessing their posture with the RMF control families, I am consistently amazed at how many businesses see cybersecurity as an afterthought. More and more often I conclude that many small to medium sized DoD contractors would not implement cybersecurity controls unless required to. […]

  • Is RMF Effective?

    RMF: Is It Effective?

    By Kathryn Daily, CISSP, RDRP In July 2017, SolarWinds conducted an online survey via Market Connections aimed at approximately 200 federal government IT decision makers and influencers in order to determine challenges faced by IT professionals to prevent security threats, quantify sources and types of IT threats, determine elements that aid successful management of risk, […]

  • RMF and National Security Systems

    Is Your System a National Security System (NSS)? and How Does That Affect RMF Efforts?

    By Lon J. Berman, CISSP, RDRP By federal law, an information system will be designated as a National Security System (NSS) in accordance with the following definition: The term “national security system” means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other […]

  • Inheritance from a FedRAMP Approved CSP

    Security Control Spotlight— Inheritance from a FedRAMP Approved CSP

    This article was written by Kathryn M. Daily, CISSP, RDRP of BAI Information Security. In a previous article, security control inheritance from an external system hosted at a departmental or agency data center was discussed. In this article, we are going to discuss inheritance from a FedRAMP Approved Cloud Service Provider (CSP) such as Amazon […]

  • Continuous Monitoring Training

    Continuous Monitoring Today—And Tomorrow

    This article was written by Lon Berman, CISSP, RDRP of BAI Information Security Step 6 of the Risk Management Framework (RMF) is entitled “Monitor Security Controls”. Many security professionals would argue it is the most important step, since monitoring is what transforms RMF from yet another “point in time” evaluation to a true life cycle […]

  • Cybersecurity Framework and RMF

    Cybersecurity Framework (CSF) as it relates to Risk Management Framework (RMF)

    Article Written By P. Devon Schall, CISSP, of BAI Information Security. I recently attended the Cybersecurity Framework (CSF) Workshop on May 16-17 at NIST in Gaithersburg, Maryland. The workshop proved to be informative in relation to how government and industry are implementing the guidance issued by President Obama in Executive Order 13636 outlining the responsibilities […]

  • NIST 800-53 Training

    NIST SP 800-53 Rev 5—Big Changes Coming?

    By Lon Berman, CISSP of BAI Information Security As you probably know, the “catalog” of security controls used in RMF is derived from NIST Special Publication (SP) 800- 53 Rev 4. What you may not know is that NIST is hard at work on SP 800-53 Rev 5. The reaction to this news on the […]

  • Top 10 Things You Should Know About eMASS

    Top Ten—Things You Should Know about eMASS

    By Lon J. Berman, CISSP of BAI Information Security The Enterprise Mission Assurance Support Service, or eMASS, is a web-based Government off-the-shelf (GOTS) solution that automates a broad range of services for comprehensive, fully integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) package reports. If you’re […]