RMF

May 24, 2024

RMF Alignment with ISC2’s CGRC Exam

IT Dojo's training programs were developed with the information systems professional in mind. NIST’s Risk Management Framework is one of the most widely used …

April 17, 2024

Strengthening Cybersecurity: Navigating the Risk Management Framework for DoD IT

In an era marked by evolving cyber threats and stringent security requirements, the Department of Defense (DoD) plays a pivotal role in safeguarding sensitive …

September 27, 2023

Navigating the Risk Management Framework (RMF) for DoD and Government Agencies

In today's tech-driven world, safeguarding sensitive data and critical systems is a top priority, especially for government agencies, including the Department …

June 28, 2023

NIST SP 800-53: WHAT’S THE DELTA FROM REV. 4 TO REV. 5?

BY KATHRYN DAILY, CISSP, CGRC (FORMERLY CAP), RDRP NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53) provides a set of …

June 28, 2023

RISK MANAGEMENT FRAMEWORK (RMF) TOMORROW: TRUTH OR FICTION?

BY LON J. BERMAN, CISSP, RDRP JULY 2023, VOLUME 15, ISSUE 3 When it comes to the future of RMF, rumors abound but truth is hard to come by. In this article, …

February 8, 2022

DoD Transition to NIST SP 800-53 Rev 5 … Why is it Taking so Long?

By Lon J. Berman, CISSP, RDRP Welcome to 2022! It’s now been well over a year since the release of NIST SP 800-53 Rev 5, yet Rev 4 remains the DoD standard. …

May 25, 2021

Risk. What to Do With It.

By Kathryn Daily, CISSP, CAP, RDRP Recently our regional grocery store chain notified their employees and customers that they had a data breach involving some …

May 25, 2021

RMF Across the Government Landscape

By Lon J. Berman, CISSP, RDRP More than ten years ago, RMF came into existence with the intention of becoming the “unified information security framework for …

January 12, 2021

NIST Rev. 5 Supplemental Materials

By Kathryn Daily, CISSP, CAP, RDRP Back in September of last year (2020), NIST finally published the final version of Special Publication 800-53 Revision 5. …

January 12, 2021

Welcome, Step 0

By Lon J. Berman, CISSP, RDRP Q. The Risk Management Framework (RMF) life cycle is comprised of how many steps? A. Oh, that’s easy, it’s six. Well … not so …

November 12, 2019

Ask Dr. RMF!

Dear Dr. RMF, I work in an Army program and I feel like I am getting the hang of RMF, but when the heck do I schedule an independent assessment (SCA-V)? Show Me …

July 9, 2019

The Expanding Role of eMASS

By Lon J Berman, CISSP, RDRP The Enterprise Mission Assurance Support Service (eMASS) is a DoD system that serves as an information repository and workflow …

April 15, 2019

Ask Dr. RMF

Dear Dr. RMF, Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management …

April 15, 2019

Security Control Inheritance

By Lon J. Berman CISSP, RDRP CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application receives protection …

January 11, 2019

NIST 800-37 Rev 2: It’s Official!

By Kathryn Daily, CISSP, RDRP NIST has officially released NIST 800-37 Rev 2 and dubbed it as “RMF 2.0.” The framework has been updated to include both …

January 11, 2019

Powerful but not well understood: Reciprocity, Type Authorization, and Assess Only

By Lon J. Berman CISSP, RDRP All of us who have spent time working with RMF have come to understand just what a time-consuming and resource-intensive process it …

October 11, 2018

IT Dojo Announces Security Control Assessment (SCA) Training Workshop

Training Overview Security Controls Assessment Workshop provides a current and well-developed approach to evaluation and testing of security controls to prove …

October 9, 2018

Is RMF Broken? Can it be fixed or is it beyond repair?

By Lon J. Berman CISSP, RDRP Thanks to the work of the Joint Task Force, RMF is now the official information security life cycle process across all three …

July 17, 2018

NIST 800-37 Rev. 2

By Lon J. Berman CISSP, RDRP The National Institute of Standards and Technology (NIST) is in the process of preparing Special Publication (SP) 800-37 Rev 2 for …

May 9, 2018

NIST Updates RMF to Incorporate Privacy Considerations

Interesting press release just put out stating that NIST is updating the RMF to incorporate privacy considerations. Full release can be found here.

April 18, 2018

RMF Training Coming Back to Pensacola Florida

From May 7 - 10, 2018, IT Dojo will be bringing RMF for DoD IT training to Pensacola, FL! Our last course that ran there a few months ago was in such high …

April 17, 2018

RMF and the Defense Security Service (DSS)

By Lon J. Berman, CISSP, RDRP at BAI. The Defense Security Service (DSS) serves as an interface between the government and cleared industry. DSS administers and …

October 17, 2017

Is Your System a National Security System (NSS)? and How Does That Affect RMF Efforts?

By Lon J. Berman, CISSP, RDRP By federal law, an information system will be designated as a National Security System (NSS) in accordance with the following …

October 17, 2017

RMF: Is It Effective?

By Kathryn Daily, CISSP, RDRP In July 2017, SolarWinds conducted an online survey via Market Connections aimed at approximately 200 federal government IT …

July 13, 2017

Continuous Monitoring Today—And Tomorrow

This article was written by Lon Berman, CISSP, RDRP of BAI Information Security Step 6 of the Risk Management Framework (RMF) is entitled “Monitor Security …

July 13, 2017

Security Control Spotlight— Inheritance from a FedRAMP Approved CSP

This article was written by Kathryn M. Daily, CISSP, RDRP of BAI Information Security. In a previous article, security control inheritance from an external …

April 13, 2017

NIST SP 800-53 Rev 5—Big Changes Coming?

By Lon Berman, CISSP of BAI Information Security As you probably know, the “catalog” of security controls used in RMF is derived from NIST Special Publication …

April 11, 2017

Top Ten—Things You Should Know about eMASS

By Lon J. Berman, CISSP of BAI Information Security The Enterprise Mission Assurance Support Service, or eMASS, is a web-based Government off-the-shelf (GOTS) …

January 30, 2017

Security Control Spotlight—Training

By Kathryn M. Daily, CISSP BAI Information Security In this issue we will shine the spotlight on the Awareness and Training (AT) family of security controls. …

January 30, 2017

Top Ten—Documentation Recommendations

By Lon J. Berman, CISSP BAI Information Security Supporting documentation (aka. artifacts) is key to providing evidence of compliance with security controls. …

September 16, 2016

Security Control Spotlight—Contingency Planning

By Kathryn M. Daily, CISSP of BAI Information Security In this issue we will shine the spotlight on the Contingency Planning (CP) family of security controls. …

September 16, 2016

Top Ten RMF Pitfalls Revisited

By Lon Berman, CISSP of BAI Information Security Like any complex process, RMF is not without its share of potential pitfalls. Now that we have the benefit of …

September 16, 2016

Understanding the Authorization Decision

By Lon Berman, CISSP of BAI Information Security If you ask most system owners about the desired outcome of their RMF efforts, they will readily tell you “we …

June 23, 2016

RMF Training in Virginia Beach is Filling up!

Attention information assurance and cyber security professionals in Hampton Roads! IT Dojo is running an RMF for DoD IT training course in the Virginia …

June 8, 2016

Top Ten—RMF “Lessons Learned”

By Lon J. Berman, CISSP BAI Information Security I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and …

June 7, 2016

Enhance Your RMF Training Experience with TrainPlus!

Picture this. You’ve just completed your RMF training with IT Dojo. You spent four days in class learning and doing. So much information and guidance has come …

June 7, 2016

Security Control Baseline “Tabletop Review”

By Lon J. Berman, CISSP at BAI Information Security Let’s take a look at some strategies for reviewing the Security Control Baseline and creating “action plans” …

June 1, 2016

Security Control Spotlight—Inheritance

By Kathryn M. Farrish, CISSP BAI Information Security Security Control Inheritance is one of the most powerful tools available to facilitate the RMF process. …

March 11, 2016

Security Control Spotlight—STIGs and Controls

By Kathryn M. Farrish, CISSP at BAI Inc. One of the primary goals of the RMF life cycle is for a system to achieve and maintain compliance with a baseline of …

March 7, 2016

Building A Security Control Baseline “Step-by-Step”

Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve …

March 1, 2016

Top Ten—Questions for your Authorizing Official

By Annette Leonard The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization …

February 29, 2016

System Scans in eMASS … Think Before You Upload!

By Kathryn M. Farrish, CISSP eMASS, short for Enterprise Mission Assurance Support Service, is a comprehensive tool provided by DoD for managing the RMF life …

November 23, 2015

Security Control Spotlight: A Little Good News?

Article by Kathryn Farrish, CISSP Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM): Edward …

November 19, 2015

RMF’s System Categorization: Step by Step

In this blog post Lon Berman, CISSP talks about the sub-steps of the first RMF step, System Categorization. Step 1: Identify Information Types The first and …

July 13, 2015

Common Controls and Inheritance

By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable by multiple …

July 10, 2015

FAQ: How Comprehensive is your RMF for DoD IT Course?

The most common question we get in regards to our RMF for DoD IT training course is this: How comprehensive is your RMF for DOD IT course? The reason I ask is …

July 9, 2015

Security Control Spotlight—Privacy Overlay

By Lon J. Berman, CISSP According to NIST Special Publication (SP) 800-53, an overlay is a “fully specified set of security controls, control enhancements and …

July 8, 2015

System Categorization-Take the Time to Get it Right

By Lon J. Berman, CISSP The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not …

July 7, 2015

Post Training Support on our RMF classes!

TrainPlus! POST TRAINING SUPPORT RMF education doesn't just stop when the training class is over. That's why we offer TrainPlus!, a RMF Q&A follow-up session. …

April 27, 2015

Why NIST’s Free Online RMF Training is Not Enough

As many of you are already aware, NIST offers free online Risk Management Framework training as a resource on their website. While this is a great resource …

March 16, 2015

What Are CCIs and Why Should I Care About Them?

By Kathryn M. Farrish, CISSP One of the more recent information security innovations is the Control Correlation Identifier, or CCI. Each CCI provides a standard …

March 13, 2015

Security Control Spotlight—The PM Family

By Lon J. Berman, CISSP The Beatles were comprised of how many musicians? Easy, right? They were called the “Fab Four”, so there were definitely 4. Now Google …

March 12, 2015

Getting Off to A Good Start with Your RMF Transition

This is a top ten list of things that will help you at the beginning of your transition from DIACAP to RMF.

March 11, 2015

RMF Transition—What do I Really Need to Know?

By Lon J. Berman, CISSP It’s hard to believe it’s been a whole year since the publication of DoD Instruction (DoDI) 8510.01 in March of 2014, which officially …

January 27, 2015

Spotlight: Information Security Continuous Monitoring

By Lon Berman, CISSP No longer just a technical issue, instead a strategic program to manage cybersecurity risk. Targeted cyber attacks are a strategic …

November 13, 2014

Security Control Spotlight—By the Numbers

By Lon J. Berman, CISSP of BAI, Inc. In this issue’s “Spotlight”, we’re not going to focus on any specific controls or families, but rather on a comparison of …

November 5, 2014

Top Ten—Sources of RMF Policy and Guidance

By Annette Leonard of BAI, Inc. RMF-related policies and guidance come from a plethora of sources within the seemingly-convoluted federal landscape. We believe …

October 31, 2014

Significant Update to NIST SP 800-53A

By Kathryn M. Farrish, CISSP of BAI, Inc. At long last, NIST has finally released a draft copy of the updated version of SP 800-53A, entitled Assessing Security …

October 21, 2014

RMF Transition—What is the Real Timeline?

By Lon Berman of BAI, Inc. Now that RMF is official DoD policy, every DoD system owner needs to begin planning their “transition” from DIACAP. In order to plan …

October 16, 2014

Spotlight: Transitioning to the Risk Management Framework (RMF)

With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD has begun. DoD programs are busy planning and …

August 21, 2014

RMF Training: Better Price. Better Delivery. Best Results.

The DoD has announced that RMF for DoD IT will supercede the current DIACAP requirements. Revised DoD IA policies and procedures will not be published until …

July 21, 2014

Security Control Spotlight— Organization-Defined Parameters

By Kathryn M. Farrish, CISSP BAI Consulting Under RMF, NIST SP 800-53 is the primary source for security controls. If we compare these controls to the DoDI …

July 18, 2014

Top Ten—Ensuring a Smooth Transition to RMF

By Lon J. Berman, CISSP BAI Consulting Now that DoD has “officially” begun its adoption of “RMF for DoD IT”, let’s take a look at some of the things your …

July 16, 2014

DoD Programs “Gear Up” for Transition to RMF

By Lon J. Berman, CISSP BAI Consulting With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD is now …

April 25, 2014

RMF Transition Timeline Infographic

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here. Here is a link to a great book …

April 22, 2014

What are the Steps in the Risk Management Framework Process?

April 11, 2014

DoD (Finally) Begins Transition to RMF

By Lon J. Berman, CISSP BAI Consulting The wait is over! RIP DIACAP!! At long last, DoD has announced the start of transition from the legacy DIACAP …

April 10, 2014

Top 10 Things that Will Be Staying the Same with RMF

By Lon J. Berman, CISSP BAI Consulting As DoD begins its transition from DIACAP to Risk Management Framework for DoD IT, everyone is naturally focused on all …

April 9, 2014

RMF Documents and Resources

For your convenience, ITdojo has assembled the following collection of RMF-related government publications. Please note these are UNCLASSIFIED documents with no …

April 8, 2014

Top Ten—What’s “new” in RMF for DoD IT?

By Lon J. Berman, CISSP BAI Consulting Now that DoD has “officially” begun its adoption of RMF, let’s take a look at some of the things that are “new”! 10. …

April 7, 2014

Continuous Monitoring—It’s Not (Just) About The Tools

by Annette Leonard BAI Consulting Continuous Monitoring has long been recognized as a critical element in maintaining a strong security posture for any IT …

March 24, 2014

DIACAP says, "So Long"

DoD replaces DIACAP with NIST-based RMF standard.

February 28, 2014

DoD Transition to RMF Imminent—Will You Be Ready?

By Lon J. Berman, CISSP For quite some time, it’s been well known that DoD would be making a transition from the legacy DIACAP Certification and Accreditation …

May 20, 2011

The Debate Surrounding Section 6.5.4.1

The IANA (Internet Assigned Number Authority) distributes IPv6 address to RIR's (Regional Internet Registry's) around the world. At the moment there are five …