Skip to main content
All Posts By

Kathryn Daily

Dear Dr. RMF

Dear Dr. RMF, In my research I cannot find any Agency level documentation that states this, however, I have located examples of contracts that have PII guidance pertaining to contractors. So, would it be considered compliant if I have examples of the contracts or should this be documented at Agency…

Read More

Dear Dr. RMF

Dear Dr. RMF, What is the purpose of having all personnel register at the DTIC website to receive update notifications?  If we do not implement this, do we need to submit POA&M for risk acceptance to the AO? Why DTIC, Regarding CA 1.6, the expression “What were they thinking?” comes…

Read More

Dear Dr. RMF

Dear Dr. RMF, In my office we are disputing the intent of RMF Control SA-4(9), i.e., whether it can be inherited or if it is intended to be system-specific. The control description states organization but the compelling evidence call for SSP.  Furthermore, the AP procedures calls for contract / agreements to be inspected. …

Read More

CMMC Assessors Requirements Announced

By Kathryn Daily, CISSP, CAP, RDRP Despite the current pandemic, the CMMC AB (Cybersecurity Maturity Model Certification Accreditation Body) is moving right along. They have now announced the requirements to become a Certified Professional (CP), Certified Assessor (CA), Certified Third Party Assessment Organization (C3PAO), or Registered Practitioner. The C3PAO will…

Read More

CMMC Continues to Mature

By Kathryn Daily, CISSP, CAP, RDRP CMMC is still a hot conversation topic in the DoD world.  The model as well as the process surrounding the model continue to develop and has largely stuck to the initial schedule set out by Katie Arrington at the onset of this project, no…

Read More

Dear Dr. RMF

Dear Dr. RMF, I am doing an annual review for an information system I have. Originally, this was inherited from our network boundary, but in reviewing this again it speaks specifically to information systems, which from my under-standing this cannot be inherited. If I am reading this control correctly it…

Read More

Dear Dr. RMF

Dear Dr. RMF, I have an information system that is current-ly being assessed and authorized and the boundary consists of desktops, laptops, printers, a major OS, and about 10 to 15 applications, which is spread throughout an enterprise. In reviewing the DoDI 8510.01 and the definition of IT products it…

Read More