By Kathryn Daily, CISSP, CAP, RDRP CMMC is still a hot conversation topic in the DoD world. The model as well as the process surrounding the model continue to develop and has largely stuck to the initial schedule set out by Katie Arrington at the onset of this project, no…
By Philip D. Schall, Ph.D., CISSP, RDRP BAI RMF Resource Center is pleased to announce the RMF Micro Edition Video Series created in collaboration with CompTIA. Below is a summary of the course content as described by BAI’s lead trainer, Linda Gross: “BAI, in partnership with CompTIA, recently produced a…
By Grace Brammer, RDRP As an undergraduate computer science student, I often find it difficult to connect my work in academia to real-world cybersecurity implementation. While demand in the tech industry continues to grow, studying for a technical degree in college is both exciting and stressful. Unfortunately, the stress compounds…
Dear Dr. RMF, I am doing an annual review for an information system I have. Originally, this was inherited from our network boundary, but in reviewing this again it speaks specifically to information systems, which from my under-standing this cannot be inherited. If I am reading this control correctly it…
Dear Dr. RMF, I have an information system that is current-ly being assessed and authorized and the boundary consists of desktops, laptops, printers, a major OS, and about 10 to 15 applications, which is spread throughout an enterprise. In reviewing the DoDI 8510.01 and the definition of IT products it…
Dear Dr. RMF, In my office we are disputing whether RMF Control SA-4 can be inherited, or if it needs to be system-specific. The control description includes the work “Organization”, but the compelling evidence (per eMASS) calls for SSP. Furthermore, the Assessment Procedure calls for the contract/agreement to be inspected….
In an effort to strengthen the trustworthiness and resilience of the information systems, component products and services that the federal government depends on in every critical infrastructure sector and which support the economic and national security interests of the United states, NIST has released an up-dated version of the NIST…
By Lon J. Berman, CISSP, RDRP DoD and Federal agencies and their supporting contractors are struggling to adapt to the “new reality” of travel restrictions, mandatory telework and social distancing. While we don’t know how long these conditions will last, we do know that all organizations must continue to perform…
By Lon J. Berman, CISSP, RDRP Organizations performing classified work for DoD (aka. Cleared Contractor Facilities) are governed by the National Industrial Security Program (NISP). NISP is administered by the Defense Counterintelligence and Security Agency (DCSA), formerly known as the Defense Security Service (DSS). In general, companies covered by NISP…
Dear Dr. RMF, We are having a dispute in our office about how to handle security control selection for a “non-National Security System” (non-NSS). We know DoD has mandated that System Categorization and Security Control Selection shall be done “in accordance with CNSSI 1253”. However, the CNSSI 1253 security control…
