Security Control Spotlight—Contingency Planning

By Kathryn M. Daily, CISSP of BAI Information Security In this issue we will shine the spotlight on the Contingency Planning (CP) family of security controls. First, we’ll show you how the controls dictate the subject areas that need to be addressed in the organization/system’s disaster recovery and business continuity plans. Second, you’ll learn how…

RMF Training in Virginia Beach is Filling up!

Attention information assurance and cyber security professionals in Hampton Roads!  IT Dojo is running an RMF for DoD IT training course in the Virginia Beach/Norfolk area July 11 – 14.  Seating is limited, but this course is guaranteed to run! We have delivered this course to hundreds of individuals throughout the country and the response…

Top Ten—RMF “Lessons Learned”

By Lon J. Berman, CISSP  BAI Information Security I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and received a full three year Authorization to Operate (ATO). In lieu of … or in addition to … a victory party, the team decided it would be productive to…

Security Control Baseline “Tabletop Review”

By Lon J. Berman, CISSP at BAI Information Security Let’s take a look at some strategies for reviewing the Security Control Baseline and creating “action plans” for implementation. The “Raw Materials” An effective review starts with the right materials. You’ll need two spreadsheets to work with: Security Controls Assessment Procedures (CCIs) Using the Security Controls…

Enhance Your RMF Training Experience with TrainPlus!

Picture this. You’ve just completed your RMF training with IT Dojo. You spent four days in class learning and doing. So much information and guidance has come your way that at times you felt like you were drinking from a fire hose! Now, at last, you’re sitting in the relative peace and quiet of your…

Security Control Spotlight—Inheritance

By Kathryn M. Farrish, CISSP  BAI Information Security Security Control Inheritance is one of the most powerful tools available to facilitate the RMF process. Unfortunately, it is not always very well understood, and, as a result, is often misapplied. CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application…

Security Control Spotlight—STIGs and Controls

By Kathryn M. Farrish, CISSP at BAI Inc. One of the primary goals of the RMF life cycle is for a system to achieve and maintain compliance with a baseline of Security Controls in accordance with NIST SP 800-53 and CNSSI 1253. Security controls provide specific safeguards in numerous subject areas (aka. “families”), including access…

Building A Security Control Baseline “Step-by-Step”

Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline. Step 1: Create Initial Control Set Your System Categorization defines the initial set of…

Top Ten—Questions for your Authorizing Official

By Annette Leonard The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization to Operate (ATO), the AO is obviously a key player. Ideally, the AO’s role is not limited to that final signature—he/she should be an active participant in the process from…