The Newest NIST Framework: The NIST Privacy Framework

By Kathryn Daily, CISSP, CAP, RDRP NIST has announced the development of a Privacy Framework. The framework is needed to ensure the ability to design, operate, or use technologies in ways that are observant of various privacy needs in a progressively connected and complicated environment. It is expected to help manage risk by protecting people’s…

NIST 800-171: Confusion and the Protest Docket

By Kathryn Daily, CISSP, RDRP I’m sure by now you’ve at least familiarized yourself with NIST 800- 171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.” What wasn’t made clear was how DoD will evaluate a contractor’s System Security Plan (SSP). In May, DoD released draft DoD Guidance for Reviewing System Security Plans and…

RMF Applied to Modern Vehicles

By P. Devon Schall, CISSP, RDRP During a recent RMF literature search, I came across an interesting article titled “RMF Applied to Modern Vehicles”. The article was published by Charlie McCarthy and Kevin Harnett in 2014 and sponsored by the National Highway Traffic Safety Administration (NHTSA). The overall goal of the research was to collect…

IT Dojo Introduces: STIG 101 Training

By Kathryn Daily, CISSP, RDRP NIST 800-53, and specifically Security Control CM-6, requires an organization to a. Establish and document configuration settings for information technology products employed within the information system using [Assignment: organizationdefined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implement the configuration settings; c. Identify, document,…

Top Ten—RMF “Lessons Learned”

By Lon J. Berman, CISSP  BAI Information Security I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and received a full three year Authorization to Operate (ATO). In lieu of … or in addition to … a victory party, the team decided it would be productive to…

Security Control Baseline “Tabletop Review”

By Lon J. Berman, CISSP at BAI Information Security Let’s take a look at some strategies for reviewing the Security Control Baseline and creating “action plans” for implementation. The “Raw Materials” An effective review starts with the right materials. You’ll need two spreadsheets to work with: Security Controls Assessment Procedures (CCIs) Using the Security Controls…

Enhance Your RMF Training Experience with TrainPlus!

Picture this. You’ve just completed your RMF training with IT Dojo. You spent four days in class learning and doing. So much information and guidance has come your way that at times you felt like you were drinking from a fire hose! Now, at last, you’re sitting in the relative peace and quiet of your…

Security Control Spotlight—Inheritance

By Kathryn M. Farrish, CISSP  BAI Information Security Security Control Inheritance is one of the most powerful tools available to facilitate the RMF process. Unfortunately, it is not always very well understood, and, as a result, is often misapplied. CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application…