By Kathryn M. Farrish, CISSP One of the more recent information security innovations is the Control Correlation Identifier, or CCI. Each CCI provides a standard identifier and description for “singular, actionable statements” that comprise a security control or security best practice. The purpose of CCIs is to allow a high level statement made in a…
By Lon J. Berman, CISSP The Beatles were comprised of how many musicians? Easy, right? They were called the “Fab Four”, so there were definitely 4. Now Google “the fifth Beatle” and see what you get. Ditto for “sixth sense”. When I eat at a Thai restaurant and the waitress asks how hot I want…
By Annette Leonard of BAI Information Security “The beginning is the most important part of the work.” ― Plato, The Republic Before rushing headlong into the RMF fray, DoD system owners should take the time to ensure they get off to a good start. Mistakes made at the beginning of the effort can be very…
By Lon J. Berman, CISSP It’s hard to believe it’s been a whole year since the publication of DoD Instruction (DoDI) 8510.01 in March of 2014, which officially began the transition from the DIACAP process and IA Controls to the Risk Management Framework (RMF) and NIST Security Controls. While there are isolated pockets of progress…
By Lon Berman, CISSP No longer just a technical issue, instead a strategic program to manage cybersecurity risk. Targeted cyber attacks are a strategic organizational problem. Cyber attackers are more sophisticated than ever before, and it has become vitally important to understand how to manage risk and implement a continuous monitoring program. More than just…
By Lon J. Berman, CISSP of BAI, Inc. In this issue’s “Spotlight”, we’re not going to focus on any specific controls or families, but rather on a comparison of RMF controls and DIACAP controls. The majority of DoD information systems are currently categorized under DIACAP as “MAC II Sensitive” or “MAC III Sensitive”. These categorizations…
By Annette Leonard of BAI, Inc. RMF-related policies and guidance come from a plethora of sources within the seemingly-convoluted federal landscape. We believe a good understanding of these sources will be helpful as you move forward in your RMF implementation. Here, then is our “Top Ten” list of RMF policy and guidance providers. 10. US…
By Kathryn M. Farrish, CISSP of BAI, Inc. At long last, NIST has finally released a draft copy of the updated version of SP 800-53A, entitled Assessing Security and Privacy Controls in Federal Information Systems and Organizations. This is an important document in the RMF “document library” because it contains the “how to” for assessing…
By Lon Berman of BAI, Inc. Now that RMF is official DoD policy, every DoD system owner needs to begin planning their “transition” from DIACAP. In order to plan and execute the transition, system owners need the answers to three basic questions: What does the transition process entail? When do I need to begin the…
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here. Here is a link to a great book on RMF that we highly recommend. A ton of other information can be found on the NIST web site.