“Teamwork? I think not!” writes: Dear Dr. RMF, I am trying to put together a team to work the RMF process for a new system that’s under development. I got the bright idea of having each of the team members take responsibility for the security controls that are pertinent to…
“AO Picking on Us?” writes: Dear Dr. RMF, We have dutifully followed all the RMF process steps and created all the documentation deliverables (Security Plan, Security Assessment Report, POA&M, etc.). The package was approved by the Security Control Assessor (SCA) and sent on to the AO for final ATO approval…
“AO A-Okay” writes: I have worked on a number of different DoD contracts over the years and I’ve noticed that some of the DoD Components (e.g., Army) have different Authorizing Officials (AOs) for each of their various major commands or programs, while other DoD Components (e.g., Navy) have a single…
“Controls Freak” asks: I’m still fairly new at the profession, but since being assigned to an RMF project by my company, I have become rather obsessed with the RMF security controls. My ambition is to memorize all the controls and control enhancements in NIST 800-53 so that if someone says…
“Secret Admirer” writes: I’m finally ready to admit it publicly … I’m a huge admirer of Dr. RMF … Oh, how I love a man in a white coat! Beyond that, I do have an RMF-related question. I’m an application developer in my company and I just found out our…
“New AO, new game?” writes: We just found out our Authorizing Official will be retiring next month and there is still no word on who his replacement will be. What sort of problems can we anticipate when a new AO takes over the reins? How much flexibility will he/she have…
“Death by POAM” writes: I just started a new job and I am a bit surprised at what I am seeing with the POA&Ms for the various systems in my new agency. At my previous place of employment we carefully maintained POA&Ms for several systems. In all cases, each line…
“Let’s Get Physical” asks: Control Enhancement AT-3(2) states “The organization provides … training in the employment and operation of physical security controls”. Our system is hosted in the cloud (by a commercial cloud service provider) and therefore we have no physical security controls within our system boundary. At first we…
“Just want to be informed” writes: As a consultant, I try very hard to keep up with all the RMF publications so I can best serve my clients. On the NIST website I found a mailing list you can subscribe to. I signed up and now I receive regular e-mails…
“Thirsty for Knowledge” asks: About a year ago I completed the 4-day RMF for DoD IT training with BAI. It was time well spent and has helped me in numerous ways. Now I’m searching for additional training that can help me build on the knowledge I gained in that RMF…