Lon Berman

RMF and Toilet Tissue

by Lon J. Berman, CISSP, RDRP The year 2020 will be remembered for lots of things, not the least of which was the “great toilet tissue shortage.” Who can forget running from store to store, only to be confronted with empty shelves? 2020 was also the year the term “supply…

Lon Berman In Dr. RMF, Federal Government, Risk Management Framework, Uncategorized

Ask Dr. RMF – Getting into the Knowledge Service

A reader who calls herself “Thirsting for Knowledge” asks: Dear Dr. RMF, Recently I’ve seen a few RMF-related articles online that referred to something called the “knowledge service”. Can you tell me what exactly this service is and if you think it would help me develop my RMF skills. Is…

Lon Berman In Dr. RMF, emass, Risk Management Framework, Uncategorized

Ask Dr. RMF – About Appointment Letters

A reader who calls himself “Dis-appointed?” asks: Dear Dr. RMF, Are appointment letters required to obtain an eMASS account for the roles of ISSO, ISSM, and SCA? Also, are appointment letters required for executing the roles of ISSO, ISSM and SCA (outside of obtaining eMASS accounts)? Dr. RMF Responds: Dear…

Lon Berman In Cybersecurity Framework, Dr. RMF, emass, Risk Management Framework, Security Technical Implementation Guides

Risk Management Framework (RMF) Tomorrow: Truth or Fiction?

This blog excerpt is taken from our July 2023 newsletter. To view the rest of the newsletter, visit rmf.org/newsletter. By Lon J. Berman, CISSP, RDRP When it comes to the future of RMF, rumors abound but truth is hard to come by. In this article, we’ll take a look at…

Lon Berman In Dr. RMF, Security Technical Implementation Guides, Uncategorized

Ask Dr. RMF – STIG Cleanup

A reader who calls herself "Cleanup Mode" writes: Dear Dr. RMF, I have recently taken over responsibility for a couple of systems and the RMF packages are a mess! I'm trying to make some sense out of how they handled the STIGs and it just makes no sense to me.…

Lon Berman In Dr. RMF, Risk Management, Risk Management Framework, Uncategorized

Ask Dr. RMF – Should We Move to Rev. 5?

A reader who calls himself "Between a Rock and a Hard Place" writes: Dear Dr. RMF, My unit is in the early stages of our RMF efforts for a new information system and we are having a little bit of a "debate" about which "version" of the RMF controls we…

Lon Berman In emass, Risk Management, Risk Management Framework

NIST SP 800-53 Rev 5 – Coming Soon to an RMF Package Near You

by Lon J. Berman, CISSP, RDRP Those of us who have worked with government information systems for a number of years have come to realize the wheels of change turn very slowly – but they do turn! Case in point – DoD adoption of NIST Special Publication (SP) 800-53 Rev…

Lon Berman In Dr. RMF, emass

Ask Dr. RMF – Teamwork? I Think Not!

“Teamwork? I think not!” writes: Dear Dr. RMF, I am trying to put together a team to work the RMF process for a new system that’s under development. I got the bright idea of having each of the team members take responsibility for the security controls that are pertinent to…

Lon Berman In Dr. RMF, Risk Management Framework

Ask Dr. RMF – AO Picking on Us?

“AO Picking on Us?” writes: Dear Dr. RMF, We have dutifully followed all the RMF process steps and created all the documentation deliverables (Security Plan, Security Assessment Report, POA&M, etc.). The package was approved by the Security Control Assessor (SCA) and sent on to the AO for final ATO approval…

Lon Berman In Risk Management Framework

Authorizing Officials – How Many? … and Why?

By Lon J. Berman, CISSP, RDRP DoDI 8510.01, entitled Risk Management Framework for DoD Information Technology, specifies that “each DoD Information System (IS) … must have an authorizing official (AO) responsible for authorizing the system’s operation based on achieving and maintaining an acceptable risk posture.” Within each DoD Component, the…