Security Controls Implementation Workshop By P. Devon Schall, PhD, CISSP, RDRP If you ask an RMF practitioner what the most challenging part of the RMF process is you’re likely to hear them reference responding to security controls! With thousands of assessment procedures, even those with a strong understanding of RMF…
Tony from OSD asks: Dr. RMF, I currently assess a boundary that includes all of our desktops, laptops, network printers, and some local printers. There are a number of devices (i.e. desktop/laptops) that don’t store Personally Identifiable Information (PII) per se, but will disseminate PII to our records management boundary…
By Lon J. Berman, CISSP, RDRP This month we will be celebrating our oldest grandson’s tenth birthday. It suddenly made me realize that with everything that’s been going on in 2020, it appears we missed another significant birthday this year – February marked the tenth birthday of the Risk Management…
By Amanda Jones On June 26, 2020, President Donald J. Trump issued the Executive Order on Modernizing and Reforming the Assessment and Hiring of Federal Job Candidates, in an effort to bring government agencies up to speed with newer hiring standards in the private sector. This comes in the wake…
by P. Devon Schall, PhD, CISSP, RDRP BAI recognizes that eMASS is a stumbling block for many new RMF practitioners. To mitigate these challenges, our instructional designers felt the creation of an eMASS sandbox environment where our students could practice working in eMASS without being scared to submit incorrect data…
By Lon J. Berman, CISSP, RDRP In a previous edition (January, 2020) of RMF Today … and Tomorrow, we presented an overview of the adoption of RMF and eMASS by the Defense Counterintelligence and Security Agency (DCSA) for use by cleared contractor companies operating within the National Industrial Security Program…
Dear Dr. RMF, I have a boundary for a web application. My SISO wants to move another web application into this approved boundary. The move is because both have similar operating characteristics, security and privacy requirements, and reside in the same environment of operation. As the SCA for the receiving…
Dear Dr. RMF, In my research I cannot find any Agency level documentation that states this, however, I have located examples of contracts that have PII guidance pertaining to contractors. So, would it be considered compliant if I have examples of the contracts or should this be documented at Agency…
Dear Dr. RMF, What is the purpose of having all personnel register at the DTIC website to receive update notifications? If we do not implement this, do we need to submit POA&M for risk acceptance to the AO? Why DTIC, Regarding CA 1.6, the expression “What were they thinking?” comes…
Dear Dr. RMF, In my office we are disputing the intent of RMF Control SA-4(9), i.e., whether it can be inherited or if it is intended to be system-specific. The control description states organization but the compelling evidence call for SSP. Furthermore, the AP procedures calls for contract / agreements to be inspected. …