Lon Berman

Lon Berman In Dr. RMF, Risk Management Framework

Ask Dr. RMF – AO A-Okay

“AO A-Okay” writes: I have worked on a number of different DoD contracts over the years and I’ve noticed that some of the DoD Components (e.g., Army) have different Authorizing Officials (AOs) for each of their various major commands or programs, while other DoD Components (e.g., Navy) have a single…

Lon Berman In Dr. RMF, Risk Management Framework

Ask Dr. RMF – Controls Freak

“Controls Freak” asks: I’m still fairly new at the profession, but since being assigned to an RMF project by my company, I have become rather obsessed with the RMF security controls. My ambition is to memorize all the controls and control enhancements in NIST 800-53 so that if someone says…

Lon Berman In Dr. RMF, Risk Management Framework

Ask Dr. RMF – Secret Admirer

“Secret Admirer” writes: I’m finally ready to admit it publicly … I’m a huge admirer of Dr. RMF … Oh, how I love a man in a white coat! Beyond that, I do have an RMF-related question. I’m an application developer in my company and I just found out our…

Lon Berman In NIST Privacy Framework, Risk Management Framework

NIST Evaluation Tool for Continuous Monitoring Programs

By Lon J. Berman, CISSP, RDRP Information Security Continuous Monitoring (ISCM) is arguably the most important step in the Risk Management Framework (RMF), since it is here that we ensure a system’s level of risk is maintained at an acceptable level over the long term. The recent initiative to establish…

Lon Berman In Dr. RMF

Dear Dr. RMF – New AO

“New AO, new game?” writes: We just found out our Authorizing Official will be retiring next month and there is still no word on who his replacement will be. What sort of problems can we anticipate when a new AO takes over the reins? How much flexibility will he/she have…

Lon Berman In Dr. RMF, Risk Management Framework

Dear Dr. RMF – Death by POAM

“Death by POAM” writes: I just started a new job and I am a bit surprised at what I am seeing with the POA&Ms for the various systems in my new agency. At my previous place of employment we carefully maintained POA&Ms for several systems. In all cases, each line…

Lon Berman In Dr. RMF, Risk Management Framework

Dear Dr. RMF – Let’s Get Physical

“Let’s Get Physical” asks: Control Enhancement AT-3(2) states “The organization provides … training in the employment and operation of physical security controls”. Our system is hosted in the cloud (by a commercial cloud service provider) and therefore we have no physical security controls within our system boundary. At first we…

Lon Berman In Dr. RMF

Dear Dr. RMF – Informed

“Just want to be informed” writes: As a consultant, I try very hard to keep up with all the RMF publications so I can best serve my clients. On the NIST website I found a mailing list you can subscribe to. I signed up and now I receive regular e-mails…

Lon Berman In Dr. RMF, RMF Training

Dear Dr. RMF – Thirsty for Knowledge

“Thirsty for Knowledge” asks: About a year ago I completed the 4-day RMF for DoD IT training with BAI. It was time well spent and has helped me in numerous ways. Now I’m searching for additional training that can help me build on the knowledge I gained in that RMF…

Lon Berman In emass, Risk Management Framework

RMF for DoD IT — What Changes Might Lie Ahead?

By Lon J. Berman, CISSP, RDRP Sometimes I wish I had a crystal ball I could peer into to see what is in store for the future. And nowhere do I wish for this more fervently than in the area of cybersecurity and RMF. It would be lovely to know…

Ask Dr. RMF – AO A-Okay

Ask Dr. RMF – Controls Freak

Ask Dr. RMF – Secret Admirer

NIST Evaluation Tool for Continuous Monitoring Programs

Dear Dr. RMF – New AO

Dear Dr. RMF – Death by POAM

Dear Dr. RMF – Let’s Get Physical

Dear Dr. RMF – Informed

Dear Dr. RMF – Thirsty for Knowledge

RMF for DoD IT — What Changes Might Lie Ahead?

Site Search

Recent Posts