Article Written By P. Devon Schall, CISSP, of BAI Information Security. I recently attended the Cybersecurity Framework (CSF) Workshop on May 16-17 at NIST in Gaithersburg, Maryland. The workshop proved to be informative in relation to how government and industry are implementing the guidance issued by President Obama in Executive Order 13636 outlining the responsibilities…
By Lon Berman, CISSP of BAI Information Security As you probably know, the “catalog” of security controls used in RMF is derived from NIST Special Publication (SP) 800- 53 Rev 4. What you may not know is that NIST is hard at work on SP 800-53 Rev 5. The reaction to this news on the…
By Lon J. Berman, CISSP of BAI Information Security The Enterprise Mission Assurance Support Service, or eMASS, is a web-based Government off-the-shelf (GOTS) solution that automates a broad range of services for comprehensive, fully integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) package reports. If you’re…
By Kathryn M. Daily, CISSP BAI Information Security In this issue we will shine the spotlight on the Awareness and Training (AT) family of security controls. We’ll show you how the controls dictate the types and frequencies of training that organizations must provide. You’ll also learn about the extent to which existing DoD publications provide…
By Lon J. Berman, CISSP BAI Information Security Supporting documentation (aka. artifacts) is key to providing evidence of compliance with security controls. Previously in this Newsletter we have spent some time describing the three fundamental classes of RMF documentation, to wit: Policy. Policy documents describe what the organization does to provide for confidentiality, integrity and…
By Lon Berman, CISSP of BAI Information Security Like any complex process, RMF is not without its share of potential pitfalls. Now that we have the benefit of some more RMF projects under our belt, we thought it was time for a “revisited edition” of the RMF Top Ten Pitfalls. 10. Assuming system boundaries have…
By Lon Berman, CISSP of BAI Information Security If you ask most system owners about the desired outcome of their RMF efforts, they will readily tell you “we are expecting the Authorizing Official (AO) to sign an Authorization to Operate (ATO) for our system.” But how much do they really know about what goes into…
By Kathryn M. Daily, CISSP of BAI Information Security In this issue we will shine the spotlight on the Contingency Planning (CP) family of security controls. First, we’ll show you how the controls dictate the subject areas that need to be addressed in the organization/system’s disaster recovery and business continuity plans. Second, you’ll learn how…
Attention information assurance and cyber security professionals in Hampton Roads! IT Dojo is running an RMF for DoD IT training course in the Virginia Beach/Norfolk area July 11 – 14. Seating is limited, but this course is guaranteed to run! We have delivered this course to hundreds of individuals throughout the country and the response…
By Lon J. Berman, CISSP BAI Information Security I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and received a full three year Authorization to Operate (ATO). In lieu of … or in addition to … a victory party, the team decided it would be productive to…