Dear Dr. RMF

Dear Dr. RMF, I am doing an annual review for an information system I have. Originally, this was inherited from our network boundary, but in reviewing this again it speaks specifically to information systems, which from my under-standing this cannot be inherited. If I am reading this control correctly it…

Continue Reading

Post Categories: Dr. RMFUncategorized Tags:

Dear Dr. RMF

Dear Dr. RMF, I have an information system that is current-ly being assessed and authorized and the boundary consists of desktops, laptops, printers, a major OS, and about 10 to 15 applications, which is spread throughout an enterprise. In reviewing the DoDI 8510.01 and the definition of IT products it…

Continue Reading

Post Categories: Dr. RMFUncategorized Tags:

Dear Dr. RMF

Dear Dr. RMF, In my office we are disputing whether RMF Control SA-4 can be inherited, or if it needs to be system-specific. The control description includes the work “Organization”, but the compelling evidence (per eMASS) calls for SSP. Furthermore, the Assessment Procedure calls for the contract/agreement to be inspected….

Continue Reading

Post Categories: Dr. RMFUncategorized Tags:

Ask Dr. RMF

Dear Dr. RMF, We are having a dispute in our office about how to handle security control selection for a “non-National Security System” (non-NSS). We know DoD has mandated that System Categorization and Security Control Selection shall be done “in accordance with CNSSI 1253”. However, the CNSSI 1253 security control…

Continue Reading

Post Categories: Dr. RMF Tags:

Ask Dr. RMF

Dear Dr. RMF, RMF IA-4 Identification Management control is not easy.  It has so many rabbit holes.  I am not sure how to tackle this control.  Could you please simplify this control for me.  Let’s say for IA-4 Identifier Management, the information system is a web application/web server.  For the…

Continue Reading

Post Categories: Dr. RMFRisk Management Framework Tags:

Ask Dr. RMF

Dear Dr. RMF, I can tell you I am definitely new to eMass. However, I have registered several packages and brought over artifacts. I have blindly (using the job aid) assigned controls, exported the spreadsheet and reimported. Haven’t been able to produce the RAR or POAM.  With that being said,…

Continue Reading

Post Categories: Dr. RMFemass Tags:

Ask Dr. RMF

Dear Dr. RMF, First of all, just stumbled across this blog few days ago….awesome! There is piles of documentation but not enough community sourced help for the RMF process. I tried starting an RMF sub-reddit but it never took off! I have so many questions! But one in particular that…

Continue Reading

Post Categories: Dr. RMFRisk Management Framework Tags:

Ask Dr. RMF

Dear Dr. RMF, Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management Framework (RMF) controls. Organizations have deployed technologies like eMASS, XACTA, and RSA to manage the workflow and documentation for the RMF for their systems….

Continue Reading

Post Categories: Dr. RMFFEDRampRisk Management Framework Tags: