A reader who calls himself “Between a Rock and a Hard Place” writes: Dear Dr. RMF, My unit is in the early stages of our RMF efforts for a new information system and we are having a little bit of a “debate” about which “version” of the RMF controls we…
by Lon J. Berman, CISSP, RDRP Those of us who have worked with government information systems for a number of years have come to realize the wheels of change turn very slowly – but they do turn! Case in point – DoD adoption of NIST Special Publication (SP) 800-53 Rev…
By Kathryn Daily, CISSP, CAP (soon to be CGRC), RDRP What is GRC? GRC stands for Governance, Risk, and Compliance. GRC is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity. In August of 2021 ISC2 updated the exam outline and…
By Philip D. Schall, Ph.D., CISSP, RDRP For those who missed my last article titled The Authorizing Official (AO) Problem & The Army Risk Management Council (ARMC), I will provide a quick summary to bring readers up to speed. It has always been my perception that a big part of…
“AO Picking on Us?” writes: Dear Dr. RMF, We have dutifully followed all the RMF process steps and created all the documentation deliverables (Security Plan, Security Assessment Report, POA&M, etc.). The package was approved by the Security Control Assessor (SCA) and sent on to the AO for final ATO approval…
By Lon J. Berman, CISSP, RDRP DoDI 8510.01, entitled Risk Management Framework for DoD Information Technology, specifies that “each DoD Information System (IS) … must have an authorizing official (AO) responsible for authorizing the system’s operation based on achieving and maintaining an acceptable risk posture.” Within each DoD Component, the…
“AO A-Okay” writes: I have worked on a number of different DoD contracts over the years and I’ve noticed that some of the DoD Components (e.g., Army) have different Authorizing Officials (AOs) for each of their various major commands or programs, while other DoD Components (e.g., Navy) have a single…
“Controls Freak” asks: I’m still fairly new at the profession, but since being assigned to an RMF project by my company, I have become rather obsessed with the RMF security controls. My ambition is to memorize all the controls and control enhancements in NIST 800-53 so that if someone says…
“Secret Admirer” writes: I’m finally ready to admit it publicly … I’m a huge admirer of Dr. RMF … Oh, how I love a man in a white coat! Beyond that, I do have an RMF-related question. I’m an application developer in my company and I just found out our…
By Philip D. Schall, Ph.D., CISSP, RDRP About four or five years ago, I had a meeting with an Army organization on the topic of providing RMF training targeted specifically at Authorizing Officials (AO’s). My memory is a bit hazy, but as I recall, after two or three meetings we…