This blog excerpt is taken from our April 2023 newsletter. To view the rest of the newsletter, visit rmf.org/newsletter. By: Devon Schall, Ph.D., CISSP On March 30th, I had the opportunity to attend the primary conference day for Information Systems Security Association (ISSA) Colorado Springs Cyber Focus Week hosted at…
By Kathryn Daily, CISSP, CAP (soon to be CGRC), RDRP What is GRC? GRC stands for Governance, Risk, and Compliance. GRC is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity. In August of 2021 ISC2 updated the exam outline and…
“Teamwork? I think not!” writes: Dear Dr. RMF, I am trying to put together a team to work the RMF process for a new system that’s under development. I got the bright idea of having each of the team members take responsibility for the security controls that are pertinent to…
By Philip D. Schall, Ph.D., CISSP, RDRP For those who missed my last article titled The Authorizing Official (AO) Problem & The Army Risk Management Council (ARMC), I will provide a quick summary to bring readers up to speed. It has always been my perception that a big part of…
“AO Picking on Us?” writes: Dear Dr. RMF, We have dutifully followed all the RMF process steps and created all the documentation deliverables (Security Plan, Security Assessment Report, POA&M, etc.). The package was approved by the Security Control Assessor (SCA) and sent on to the AO for final ATO approval…
By Lon J. Berman, CISSP, RDRP DoDI 8510.01, entitled Risk Management Framework for DoD Information Technology, specifies that “each DoD Information System (IS) … must have an authorizing official (AO) responsible for authorizing the system’s operation based on achieving and maintaining an acceptable risk posture.” Within each DoD Component, the…
“AO A-Okay” writes: I have worked on a number of different DoD contracts over the years and I’ve noticed that some of the DoD Components (e.g., Army) have different Authorizing Officials (AOs) for each of their various major commands or programs, while other DoD Components (e.g., Navy) have a single…
“Controls Freak” asks: I’m still fairly new at the profession, but since being assigned to an RMF project by my company, I have become rather obsessed with the RMF security controls. My ambition is to memorize all the controls and control enhancements in NIST 800-53 so that if someone says…
“Secret Admirer” writes: I’m finally ready to admit it publicly … I’m a huge admirer of Dr. RMF … Oh, how I love a man in a white coat! Beyond that, I do have an RMF-related question. I’m an application developer in my company and I just found out our…
By Philip D. Schall, Ph.D., CISSP, RDRP About four or five years ago, I had a meeting with an Army organization on the topic of providing RMF training targeted specifically at Authorizing Officials (AO’s). My memory is a bit hazy, but as I recall, after two or three meetings we…
