By Lon J. Berman CISSP, RDRP CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application”. The typical example…
Dear Dr. RMF, Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management Framework (RMF) controls. Organizations have deployed technologies like eMASS, XACTA, and RSA to manage the workflow and documentation for the RMF for their systems. Yet, there is confusion about…
By P.Devon Schall Ph.D., RDRP Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF. Dear Doctor RMF, We just received our report from Alex, our independent assessor team lead, and…
By P. Devon Schall, Ph.D., CISSP, RDRP Over the past year, I have conducted research on the relationship between the receipt of formalized RMF training and perceptions of RMF effectiveness, sustainability, and commitment in RMF practitioners. I am very pleased to announce, I have completed the study and have some interesting results to report. This…
By Kathryn Daily, CISSP, RDRP NIST has officially released NIST 800-37 Rev 2 and dubbed it as “RMF 2.0.” The framework has been updated to include both cybersecurity and privacy to be key for an authorization decision. “RMF 2.0 gives federal agencies a very powerful tool to manage both security and privacy risks from a…
By Lon J. Berman CISSP, RDRP All of us who have spent time working with RMF have come to understand just what a time-consuming and resource-intensive process it can be. As bad as that may be, it is made even worse when the same application or system ends up going through the RMF process multiple…
Training Overview Security Controls Assessment Workshop provides a current and well-developed approach to evaluation and testing of security controls to prove they are functioning correctly in today’s IT systems. This course shows you how to evaluate, examine, and test installed security controls in the world of threats and potential breach actions surrounding all industries and…
By Lon J. Berman CISSP, RDRP Thanks to the work of the Joint Task Force, RMF is now the official information security life cycle process across all three “segments” of the Executive Branch, i.e., DoD, federal civil agencies, and the intelligence community. It’s now been 4 ½ years since DoD officially “adopted” RMF (DoDI 8510.01,…
By Kathryn Daily, CISSP, CAP, RDRP NIST has announced the development of a Privacy Framework. The framework is needed to ensure the ability to design, operate, or use technologies in ways that are observant of various privacy needs in a progressively connected and complicated environment. It is expected to help manage risk by protecting people’s…
By Lon J. Berman CISSP, RDRP The National Institute of Standards and Technology (NIST) is in the process of preparing Special Publication (SP) 800-37 Rev 2 for publication. As you may know, NIST SP 800-37 is the publication that defines the Risk Management Framework (RMF) roles, responsibilities and life cycle process. A review of the…