Dear Dr. RMF

“Assessed” writes: Please help me better understand RMF Assess Only. Some of my colleagues are saying we should consider pursuing an Assess Only ATO because it’s so much easier than going through the full ATO process. Is that even for real? Dr. RMF responds: RMF Assess Only is absolutely a…

Continue Reading

Post Categories: Dr. RMF Tags:

Dear Dr. RMF

JZ writes: I have a question regarding Control Enhancement AC-6(3). The control states that the organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs and documents the rationale for such access in the security plan for the information system. Does this mean that every privilege…

Continue Reading

Post Categories: Dr. RMF Tags:

CMMC AB Proposes “Pay to Play” Program

By Kathryn Daily, CISSP, CAP, RDRP On Saturday, September 12th, the CMMC Accreditation Body (AB) posted a page to their website that advertised for a “Partnership Program” where contracting companies could pay up to $500,000 for a CMMC AB stamp of approval. The proposed program consists of five levels ranging…

Continue Reading

Post Categories: CMMC Tags:

Security Control Spotlight: AC-20 (Use of External Information Systems)

By Ernest Smith, CISSP, PMP Requirement (simplified): Do you have contracts and or service level agreements with the owners of any system outside of your authorization boundary that are processing, storing, and transmitting your information? Breakdown: What is an “external information system”? Employee personally owned devices (I said it!) Systems…

Continue Reading

Post Categories: Risk Management Framework Tags:  CONTROLS NIST SP 800-53 RMF

Dear Dr. RMF

Daphne in Kansas City asks: Dr. RMF, we are bidding on a multi-year contract to provide services to a DoD agency. The process is down to the final stage and we are looking good to win the work. Assuming we are awarded the work, the government will be requiring us…

Continue Reading

Post Categories: Dr. RMF Tags:

Dear Dr. RMF

Sean from US Navy asks: Dr. RMF, we are working on an acquisition for several new medical imaging devices in our hospital. Each of these new devices contains an embedded computer running the Linux operating system. A connection to the hospital’s data network is used to send imaging data to…

Continue Reading

Post Categories: Dr. RMF Tags: