Building A Security Control Baseline “Step-by-Step”

Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline. Step 1: Create Initial Control Set Your System Categorization defines the initial set of…

Top Ten—Questions for your Authorizing Official

By Annette Leonard The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization to Operate (ATO), the AO is obviously a key player. Ideally, the AO’s role is not limited to that final signature—he/she should be an active participant in the process from…

System Scans in eMASS … Think Before You Upload!

By Kathryn M. Farrish, CISSP eMASS, short for Enterprise Mission Assurance Support Service, is a comprehensive tool provided by DoD for managing the RMF life cycle. Among its well-known features and capabilities are generating security control baselines, managing RMF workflow, maintaining a repository of documentation artifacts, accepting system owner provided “self assessment” of security control…

What is STIG Viewer (and why are there two answers)?

By Kathryn M. Farrish, CISSP Security Technical Implementation Guides (STIGs) are published periodically by the Defense Information Systems Agency (DISA). STIGs contain very detailed lists of security settings for commonly used IT system components, such as operating systems, database management systems, web servers, network devices, etc. Compliance with applicable STIGs is one of the key…

The Top Ten STIGs

Article by Annette Leonard The Defense Information Systems Agency (DISA) is responsible for developing security guidance for configuring DoD information systems. An extensive collection of Security Technical Implementation Guides (STIGs) is published at http:// iase.disa.mil/stigs/Pages/index.aspx. STIGs contain detailed configuration guidance (settings) for commonly-used software products and other system components. Most of these documents are updated…

Security Control Spotlight: A Little Good News?

Article by Kathryn Farrish, CISSP Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM): Edward (System Owner):“Now that we’ve completed our System Categorization, have you built the Security Control Baseline for our system?” Christine (ISSM): “Yes, sir, I have. Our system has been categorized as “Moderate -Moderate-Moderate (M-M-M)”.…

RMF’s System Categorization: Step by Step

In this blog post Lon Berman, CISSP talks about the sub-steps of the first RMF step, System Categorization. Step 1: Identify Information Types The first and perhaps most important step in the system categorization process is the determination of the “information types” that are stored and processed by the system. So what exactly is an…

FAQ: How Comprehensive is your RMF for DoD IT Course?

The most common question we get in regards to our RMF for DoD IT training course is this: How comprehensive is your RMF for DOD IT course? The reason I ask is that the Navy is still trying to wrap their head around RMF and how to integrate it both from an acquisitions and operational…

Information Security Continuous Monitoring Course Date Just Added!

We have just added a course date for the Information Security Continuous Monitoring training that is coming up this fall (September 22 – 24, 2015). Information Security Continuous Monitoring (three days) covers roles and responsibilities, establishment and implementation of the ISCM strategy, analysis and reporting of findings, and program review in accordance with NIST Special Publication…

Why NIST’s Free Online RMF Training is Not Enough

As many of you are already aware, NIST offers free online Risk Management Framework training as a resource on their website.  While this is a great resource containing excellent information and should be included in your learning plan, it is not enough when it comes to preparing yourself and your staff for the transition from DIACAP…