Top Ten—RMF “Lessons Learned”

By Lon J. Berman, CISSP  BAI Information Security I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and received a full three year Authorization to Operate (ATO). In lieu of … or in addition to … a victory party, the team decided it would be productive to…

Enhance Your RMF Training Experience with TrainPlus!

Picture this. You’ve just completed your RMF training with IT Dojo. You spent four days in class learning and doing. So much information and guidance has come your way that at times you felt like you were drinking from a fire hose! Now, at last, you’re sitting in the relative peace and quiet of your…

Security Control Spotlight—Inheritance

By Kathryn M. Farrish, CISSP  BAI Information Security Security Control Inheritance is one of the most powerful tools available to facilitate the RMF process. Unfortunately, it is not always very well understood, and, as a result, is often misapplied. CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application…

Security Control Spotlight—STIGs and Controls

By Kathryn M. Farrish, CISSP at BAI Inc. One of the primary goals of the RMF life cycle is for a system to achieve and maintain compliance with a baseline of Security Controls in accordance with NIST SP 800-53 and CNSSI 1253. Security controls provide specific safeguards in numerous subject areas (aka. “families”), including access…

Building A Security Control Baseline “Step-by-Step”

Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline. Step 1: Create Initial Control Set Your System Categorization defines the initial set of…

Top Ten—Questions for your Authorizing Official

By Annette Leonard The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization to Operate (ATO), the AO is obviously a key player. Ideally, the AO’s role is not limited to that final signature—he/she should be an active participant in the process from…

System Scans in eMASS … Think Before You Upload!

By Kathryn M. Farrish, CISSP eMASS, short for Enterprise Mission Assurance Support Service, is a comprehensive tool provided by DoD for managing the RMF life cycle. Among its well-known features and capabilities are generating security control baselines, managing RMF workflow, maintaining a repository of documentation artifacts, accepting system owner provided “self assessment” of security control…

The Top Ten STIGs

Article by Annette Leonard The Defense Information Systems Agency (DISA) is responsible for developing security guidance for configuring DoD information systems. An extensive collection of Security Technical Implementation Guides (STIGs) is published at http:// iase.disa.mil/stigs/Pages/index.aspx. STIGs contain detailed configuration guidance (settings) for commonly-used software products and other system components. Most of these documents are updated…

Security Control Spotlight: A Little Good News?

Article by Kathryn Farrish, CISSP Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM): Edward (System Owner):“Now that we’ve completed our System Categorization, have you built the Security Control Baseline for our system?” Christine (ISSM): “Yes, sir, I have. Our system has been categorized as “Moderate -Moderate-Moderate (M-M-M)”.…