By Kathryn M. Farrish, CISSP BAI Consulting Under RMF, NIST SP 800-53 is the primary source for security controls. If we compare these controls to the DoDI 8500.2 IA controls used in DIACAP, several obvious differences can be seen. Most notable among these differences is the fact that many of the NIST controls are not…
By Lon J. Berman, CISSP BAI Consulting Now that DoD has “officially” begun its adoption of “RMF for DoD IT”, let’s take a look at some of the things your organization can do to ensure a smooth transition. 10. Publications. Organizations should ensure they are using the latest copies of relevant publications. This includes not…
By Lon J. Berman, CISSP BAI Consulting With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD is now official. DoD programs big and small have gotten busy planning their strategies for transitioning from DIACAP to “RMF for DoD IT”. Let’s take a look at some of the…
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here. Here is a link to a great book on RMF that we highly recommend. A ton of other information can be found on the NIST web site.
By Lon J. Berman, CISSP BAI Consulting The wait is over! RIP DIACAP!! At long last, DoD has announced the start of transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies ……
By Lon J. Berman, CISSP BAI Consulting As DoD begins its transition from DIACAP to Risk Management Framework for DoD IT, everyone is naturally focused on all the things that will be changing—everything from terminology to documentation to security controls. Thankfully, not everything is changing! We thought it would be interesting to take a look…
For your convenience, ITdojo has assembled the following collection of RMF-related government publications. Please note these are UNCLASSIFIED documents with no restrictions on usage or distribution. Laws and Executive Branch Policies Federal Information Security Management Act (FISMA) OMB Circular A-130 Appendix III (Security of Federal Information Systems) Federal Information Processing Standard (FIPS) Publications FIPS 199…
By Lon J. Berman, CISSP BAI Consulting Now that DoD has “officially” begun its adoption of RMF, let’s take a look at some of the things that are “new”! 10. Cybersecurity. The word “Cybersecurity” has been part of the government IT security discussion for several years, going back to a Presidential Directive in 2008. DoD has now adopted the term Cybersecurity in…
by Annette Leonard BAI Consulting Continuous Monitoring has long been recognized as a critical element in maintaining a strong security posture for any IT system. In spite of this, the risk management processes used in most federal agencies have traditionally been centered around mountains of paperwork, along with “point-in-time” assessments and approvals. With the ascension…