A reader who calls herself “Thirsting for Knowledge” asks: Dear Dr. RMF, Recently I’ve seen a few RMF-related articles online that referred to something called the “knowledge service”. Can you tell me what exactly this service is and if you think it would help me develop my RMF skills. Is…
A reader who calls himself “Dis-appointed?” asks: Dear Dr. RMF, Are appointment letters required to obtain an eMASS account for the roles of ISSO, ISSM, and SCA? Also, are appointment letters required for executing the roles of ISSO, ISSM and SCA (outside of obtaining eMASS accounts)? Dr. RMF Responds: Dear…
This blog excerpt is taken from our July 2023 newsletter. To view the rest of the newsletter, visit rmf.org/newsletter. By Lon J. Berman, CISSP, RDRP When it comes to the future of RMF, rumors abound but truth is hard to come by. In this article, we’ll take a look at…
A reader who calls herself “Cleanup Mode” writes: Dear Dr. RMF, I have recently taken over responsibility for a couple of systems and the RMF packages are a mess! I’m trying to make some sense out of how they handled the STIGs and it just makes no sense to me….
A reader who calls himself “Between a Rock and a Hard Place” writes: Dear Dr. RMF, My unit is in the early stages of our RMF efforts for a new information system and we are having a little bit of a “debate” about which “version” of the RMF controls we…
“Teamwork? I think not!” writes: Dear Dr. RMF, I am trying to put together a team to work the RMF process for a new system that’s under development. I got the bright idea of having each of the team members take responsibility for the security controls that are pertinent to…
“AO Picking on Us?” writes: Dear Dr. RMF, We have dutifully followed all the RMF process steps and created all the documentation deliverables (Security Plan, Security Assessment Report, POA&M, etc.). The package was approved by the Security Control Assessor (SCA) and sent on to the AO for final ATO approval…
“AO A-Okay” writes: I have worked on a number of different DoD contracts over the years and I’ve noticed that some of the DoD Components (e.g., Army) have different Authorizing Officials (AOs) for each of their various major commands or programs, while other DoD Components (e.g., Navy) have a single…
“Controls Freak” asks: I’m still fairly new at the profession, but since being assigned to an RMF project by my company, I have become rather obsessed with the RMF security controls. My ambition is to memorize all the controls and control enhancements in NIST 800-53 so that if someone says…
“Secret Admirer” writes: I’m finally ready to admit it publicly … I’m a huge admirer of Dr. RMF … Oh, how I love a man in a white coat! Beyond that, I do have an RMF-related question. I’m an application developer in my company and I just found out our…
