Dear Dr. RMF

Tony from OSD asks: Dr. RMF, I currently assess a boundary that includes all of our desktops, laptops, network printers, and some local printers. There are a number of devices (i.e. desktop/laptops) that don’t store Personally Identifiable Information (PII) per se, but will disseminate PII to our records management boundary…

Continue Reading

Post Categories: Dr. RMF Tags:

Happy Birthday, RMF!

By Lon J. Berman, CISSP, RDRP This month we will be celebrating our oldest grandson’s tenth birthday. It suddenly made me realize that with everything that’s been going on in 2020, it appears we missed another significant birthday this year – February marked the tenth birthday of the Risk Management…

Continue Reading

Post Categories: Risk Management Framework Tags:

BAI’s Hands-on eMASS Simulator

by P. Devon Schall, PhD, CISSP, RDRP BAI recognizes that eMASS is a stumbling block for many new RMF practitioners. To mitigate these challenges, our instructional designers felt the creation of an eMASS sandbox environment where our students could practice working in eMASS without being scared to submit incorrect data…

Continue Reading

Post Categories: emass Tags:

RMF Supplement for DCSA Cleared Contractors

By Lon J. Berman, CISSP, RDRP In a previous edition (January, 2020) of RMF Today … and Tomorrow, we presented an overview of the adoption of RMF and eMASS by the Defense Counterintelligence and Security Agency (DCSA) for use by cleared contractor companies operating within the National Industrial Security Program…

Continue Reading

Post Categories: DCSA Tags:

Dear Dr. RMF

Dear Dr. RMF, I have a boundary for a web application.  My SISO wants to move another web application into this approved boundary.  The move is because both have similar operating characteristics, security and privacy requirements, and reside in the same environment of operation.  As the SCA for the receiving…

Continue Reading

Post Categories: Dr. RMF Tags:

Dear Dr. RMF

Dear Dr. RMF, In my research I cannot find any Agency level documentation that states this, however, I have located examples of contracts that have PII guidance pertaining to contractors. So, would it be considered compliant if I have examples of the contracts or should this be documented at Agency…

Continue Reading

Post Categories: Dr. RMF Tags:

Dear Dr. RMF

Dear Dr. RMF, What is the purpose of having all personnel register at the DTIC website to receive update notifications?  If we do not implement this, do we need to submit POA&M for risk acceptance to the AO? Why DTIC, Regarding CA 1.6, the expression “What were they thinking?” comes…

Continue Reading

Post Categories: Dr. RMF Tags:

Dear Dr. RMF

Dear Dr. RMF, In my office we are disputing the intent of RMF Control SA-4(9), i.e., whether it can be inherited or if it is intended to be system-specific. The control description states organization but the compelling evidence call for SSP.  Furthermore, the AP procedures calls for contract / agreements to be inspected. …

Continue Reading

Post Categories: Dr. RMF Tags:

CMMC Assessors Requirements Announced

By Kathryn Daily, CISSP, CAP, RDRP Despite the current pandemic, the CMMC AB (Cybersecurity Maturity Model Certification Accreditation Body) is moving right along. They have now announced the requirements to become a Certified Professional (CP), Certified Assessor (CA), Certified Third Party Assessment Organization (C3PAO), or Registered Practitioner. The C3PAO will…

Continue Reading

Post Categories: CMMC Tags: