By Lon J. Berman, CISSP, RDRP Organizations performing classified work for DoD (aka. Cleared Contractor Facilities) are governed by the National Industrial Security Program (NISP). NISP is administered by the Defense Counterintelligence and Security Agency (DCSA), formerly known as the Defense Security Service (DSS). In general, companies covered by NISP…
By Philip D. Schal, Ph.D., CISSP, RDRP What is Project Sentinel? The United States Army recently announced that it is launching a new initiative called Project Sentinel. Project Sentinel is described as an adaption of the traditional RMF process with goals of streamlining RMF into a threat informed risk decision…
By Lon J Berman, CISSP, RDRP The Enterprise Mission Assurance Support Service (eMASS) is a DoD system that serves as an information repository and workflow manager for the Risk Management Framework (RMF) process. The history of eMASS can be traced back to a project called Digital DITSCAP at the Defense…
Dear Dr. RMF, RMF IA-4 Identification Management control is not easy. It has so many rabbit holes. I am not sure how to tackle this control. Could you please simplify this control for me. Let’s say for IA-4 Identifier Management, the information system is a web application/web server. For the…
Dear Dr. RMF, I was wondering if you could guide me to the official “source” for all SOP’s required for RMF. I have copies of SOP’s I have done for another group but these were built off templates we were given from our ISSM at the time. I have combed…
Dear Dr. RMF, First of all, just stumbled across this blog few days ago….awesome! There is piles of documentation but not enough community sourced help for the RMF process. I tried starting an RMF sub-reddit but it never took off! I have so many questions! But one in particular that…
Dear Dr. RMF, Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management Framework (RMF) controls. Organizations have deployed technologies like eMASS, XACTA, and RSA to manage the workflow and documentation for the RMF for their systems….
By P. Devon Schall, PhD, CISSP, RDRP Over the past 12 months, I have attended a handful of DoD cybersecurity conferences with the goal of convincing the DoD community that RMF training is a key solution in combatting the perceived RMF crisis. These conferences include the Air Force Information Technology…
By Lon J. Berman CISSP, RDRP CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system…
By Lon J. Berman, CISSP, RDRP All of us who have spent time working with RMF have come to understand just what a time-consuming and resource-intensive process it can be. As bad as that may be, it is made even worse when the same application or system ends up going…
