By Lon J. Berman, CISSP, RDRP Welcome to 2022! It’s now been well over a year since the release of NIST SP 800-53 Rev 5, yet Rev 4 remains the DoD standard. When DoD first adopted RMF … back in 2014! … they expressed their commitment to “keeping up” with the NIST publications. So why…
By Kathryn Daily, CISSP, CAP, RDRP Recently our regional grocery store chain notified their employees and customers that they had a data breach involving some HR data and pharmacy records. The breach was caused by a vulnerability in the Accellion file sharing system which the grocery chain immediately stopped using. As I was perusing the…
By Lon J. Berman, CISSP, RDRP More than ten years ago, RMF came into existence with the intention of becoming the “unified information security framework for the federal government”. With widespread adoption of RMF throughout most federal civil agencies, DoD components and intelligence community agencies, it is safe to say that goal has been met.…
By Philip D. Schall, Ph.D., CISSP, RDRP At IT Dojo, we often have conversations with our students on the topic of taking formal classroom RMF training. In the modern digital landscape, we are able to learn about and complete projects we never thought possible twenty years ago through free online resources. The internet has enabled…
Dear Dr. RMF, I work in an Army program and I feel like I am getting the hang of RMF, but when the heck do I schedule an independent assessment (SCA-V)? Show Me the SCA-V Dear Show Me the SCA-V, When determining when to schedule a SCA-V assessment you’ll want to take several things into…
By Lon J. Berman, CISSP, RDRP Just when folks were beginning to get somewhat comfortable … or, at least, familiar … with the Risk Management Framework (RMF), along come our friends at the National Institute of Standards and Technology (NIST) throwing another framework our way! The Cybersecurity Framework (CSF) has actually been in development since…
By Kathryn Daily, CISSP, CAP, RDRP Back in September 2018, NIST announced their plans to develop a data privacy framework based off their cybersecurity framework that has been extremely successful in both government and private sector. NIST has worked with industry through webinars and workshops and incorporated both public and private sector feedback for the…
By P. Devon Schall, PhD, CISSP, RDRP Over the past 12 months, I have attended a handful of DoD cybersecurity conferences with the goal of convincing the DoD community that RMF training is a key solution in combatting the perceived RMF crisis. These conferences include the Air Force Information Technology & Cyberpower Conference (AFITC), the…
By Lon J. Berman CISSP, RDRP CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application”. The typical example…
Dear Dr. RMF, Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management Framework (RMF) controls. Organizations have deployed technologies like eMASS, XACTA, and RSA to manage the workflow and documentation for the RMF for their systems. Yet, there is confusion about…