By P. Devon Schall, CISSP, RDRP With the addition of Step 0 to the RMF life cycle, we decided to make this month’s top ten list based on preparation. Preparation is often one of the most overlooked aspects of RMF. The road to an ATO is often paved with unexpected setbacks, these setbacks can be…
By Kathryn Daily, CISSP, RDRP If you heard a whooshing sound on New Years Eve, that was probably the deadline for compliance with NIST 171 flying by. A lot of you might be asking “What is NIST 171?” NIST 171 is a set of requirements documented in the NIST Special Publication 800-171 (Protecting Controlled Unclassified…
By P. Devon Schall, CISSP, RDRP I was reading an article recently about Cybersecurity Framework (CSF) and the continued confusion with Risk Management Framework (RMF). In the research, the consensus was the majority of government IT professionals don’t fully understand CSF or RMF and find it easy to confuse the two. As a follow up…
By P. Devon Schall, CISSP, RDRP As I work with clients on assessing their posture with the RMF control families, I am consistently amazed at how many businesses see cybersecurity as an afterthought. More and more often I conclude that many small to medium sized DoD contractors would not implement cybersecurity controls unless required to.…
By Lon J. Berman, CISSP, RDRP By federal law, an information system will be designated as a National Security System (NSS) in accordance with the following definition: The term “national security system” means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other…
By Lon Berman, CISSP of BAI Information Security Like any complex process, RMF is not without its share of potential pitfalls. Now that we have the benefit of some more RMF projects under our belt, we thought it was time for a “revisited edition” of the RMF Top Ten Pitfalls. 10. Assuming system boundaries have…
By Lon Berman, CISSP of BAI Information Security If you ask most system owners about the desired outcome of their RMF efforts, they will readily tell you “we are expecting the Authorizing Official (AO) to sign an Authorization to Operate (ATO) for our system.” But how much do they really know about what goes into…
By Kathryn M. Daily, CISSP of BAI Information Security In this issue we will shine the spotlight on the Contingency Planning (CP) family of security controls. First, we’ll show you how the controls dictate the subject areas that need to be addressed in the organization/system’s disaster recovery and business continuity plans. Second, you’ll learn how…
Attention information assurance and cyber security professionals in Hampton Roads! IT Dojo is running an RMF for DoD IT training course in the Virginia Beach/Norfolk area July 11 – 14. Seating is limited, but this course is guaranteed to run! We have delivered this course to hundreds of individuals throughout the country and the response…
By Lon J. Berman, CISSP BAI Information Security I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and received a full three year Authorization to Operate (ATO). In lieu of … or in addition to … a victory party, the team decided it would be productive to…