Dear Dr. RMF, Meredith writes: Hi Dr. RMF! We are working on the RMF package in eMASS for a new system and there is a check box labeled “National Security System”. We’re not sure whether to check this box or not. One of my colleagues thinks we should check the…
Read More
By Kathryn Daily, CISSP, CAP, RDRP Ransomware is one of the top buzzwords you here today in reference to cybersecurity with good reason. Ransomware attacks nearly doubled in the first half of 2021. Thanks to NIST, organizations now have a framework of security objectives that support preventing, responding to, and…
Read More
By Lon J. Berman, CISSP, RDRP So, you’ve got your System Categorization completed and you’ve included any applicable overlays. You’ve reviewed all the resulting security controls to see if any of them should be marked Not Applicable, and, for those, you’ve written a justification. You’ve even gone through the security…
Read More
Dear Dr. RMF, “Assessed” writes: Please help me better understand RMF Assess Only. Some of my colleagues are saying we should consider pursuing an Assess Only ATO because it’s so much easier than going through the full ATO process. Is that even for real? Dr. RMF responds: RMF Assess Only…
Read More
By Lon J. Berman, CISSP, RDRP Anyone who has endured the “adventure” of going through the full RMF life cycle can attest to the daunting amount of work and attention to detail required to be successful. Some even question whether or not all this effort is really making our…
Read More
JZ writes: I have a question regarding Control Enhancement AC-6(3). The control states that the organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs and documents the rationale for such access in the security plan for the information system. Does this mean that every privilege…
Read More
By Kathryn Daily, CISSP, CAP, RDRP If you follow any cybersecurity news, I am sure you have heard about zero trust architecture (ZTA). Historically, the authorization process has existed primarily at the perimeter of the network. In zero trust architectures, authorization happens across the surface of the network. Essentially, zero…
Read More
By Philip D. Schall, Ph.D., CISSP, RDRP After the recent Colonial Pipeline and JBS Meat Processing ransomware attacks, I was approached multiple times by concerned friends asking if BAI could start offering cybersecurity training targeted towards private industry. My quick reply to these folks was that we have tried offering…
Read More
BAI RMF Resource Center is pleased to announce the return of RMF, eMASS, Security Controls, and STIG training classrooms with the addition of a new location in Alexandria South adjacent to Fort Belvoir! RMF for DoD IT and Federal Agencies & eMASS eSSENTIALS ™ Pensacola — August 2nd – 6th…
Read More
By Kathryn Daily, CISSP, CAP, RDRP Recently our regional grocery store chain notified their employees and customers that they had a data breach involving some HR data and pharma-cy records. The breach was caused by a vulnerability in the Accellion file-sharing system which the grocery chain immediately stopped using. As…
Read More