By Grace Brammer, RDRP The very first time I heard about a so-called ‘RMF process,’ I was in my freshman year of college. To anyone familiar with the industry, it may come as a shock to hear that my initial exposure to RMF left me with a mixture of emotions—mostly…
By Kathryn Daily, CISSP, CAP, RDRP Artificial intelligence (AI) is the theory and development of computer systems able to perform tasks that normally require human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages. One example of AI is the use of virtual filters on our face…
By Lon J. Berman, CISSP, RDRP Information Security Continuous Monitoring (ISCM) is arguably the most important step in the Risk Management Framework (RMF), since it is here that we ensure a system’s level of risk is maintained at an acceptable level over the long term. The recent initiative to establish…
By Philip D. Schall, Ph.D., CISSP, RDRP First off, I would like to congratulate Director of Cybersecurity and Information Assurance at Army CIO/G-6, Nancy Kreidler on her recent retirement! As a self-proclaimed RMF nerd, I found one of her recent posts on LinkedIn humorous with the following lines “Step 1…
“New AO, new game?” writes: We just found out our Authorizing Official will be retiring next month and there is still no word on who his replacement will be. What sort of problems can we anticipate when a new AO takes over the reins? How much flexibility will he/she have…
“Death by POAM” writes: I just started a new job and I am a bit surprised at what I am seeing with the POA&Ms for the various systems in my new agency. At my previous place of employment we carefully maintained POA&Ms for several systems. In all cases, each line…
By Kathryn Daily, CISSP, CAP, RDRP Back in February, NIST issued a public Request for Information (RFI) to identify how the Cyber Security Framework was being used and also for recommendations on improving the effectiveness of the Framework and its alignment with other cyber security resources. “Every Organization needs to…
“Let’s Get Physical” asks: Control Enhancement AT-3(2) states “The organization provides … training in the employment and operation of physical security controls”. Our system is hosted in the cloud (by a commercial cloud service provider) and therefore we have no physical security controls within our system boundary. At first we…
“Just want to be informed” writes: As a consultant, I try very hard to keep up with all the RMF publications so I can best serve my clients. On the NIST website I found a mailing list you can subscribe to. I signed up and now I receive regular e-mails…
By Philip D. Schall, Ph.D., CISSP, RDRP As spring arrives, I thought it would be beneficial to share the rumblings and conversations I heard/had at AFCEA West 2022 and Rocky Mountain Cyberspace Symposium 2022 regarding my favorite topic, Risk Management Framework (RMF). Before I dive into my RMF conference debrief,…
