A reader who calls herself “Cleanup Mode” writes: Dear Dr. RMF, I have recently taken over responsibility for a couple of systems and the RMF packages are a mess! I’m trying to make some sense out of how they handled the STIGs and it just makes no sense to me….
A reader who calls himself “Between a Rock and a Hard Place” writes: Dear Dr. RMF, My unit is in the early stages of our RMF efforts for a new information system and we are having a little bit of a “debate” about which “version” of the RMF controls we…
This blog excerpt is taken from our April 2023 newsletter. To view the rest of the newsletter, visit rmf.org/newsletter. By Kathryn Daily, CISSP, CGRC (Formerly CAP), RDRP As some may have heard, SCAP Compliance Checker (SCC) has lost funding from DISA as of the end of FY22 and as a…
This blog excerpt is taken from our April 2023 newsletter. To view the rest of the newsletter, visit rmf.org/newsletter. By: Devon Schall, Ph.D., CISSP On March 30th, I had the opportunity to attend the primary conference day for Information Systems Security Association (ISSA) Colorado Springs Cyber Focus Week hosted at…
By Kathryn Daily, CISSP, CAP (soon to be CGRC), RDRP What is GRC? GRC stands for Governance, Risk, and Compliance. GRC is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity. In August of 2021 ISC2 updated the exam outline and…
By Kathryn Daily, CISSP, CAP, RDRP CMMC is still a hot conversation topic in the DoD world. The model as well as the process surrounding the model continue to develop and has largely stuck to the initial schedule set out by Katie Arrington at the onset of this project, no…
By Philip D. Schall, Ph.D., CISSP, RDRP BAI RMF Resource Center is pleased to announce the RMF Micro Edition Video Series created in collaboration with CompTIA. Below is a summary of the course content as described by BAI’s lead trainer, Linda Gross: “BAI, in partnership with CompTIA, recently produced a…
Dear Dr. RMF, I am doing an annual review for an information system I have. Originally, this was inherited from our network boundary, but in reviewing this again it speaks specifically to information systems, which from my under-standing this cannot be inherited. If I am reading this control correctly it…
Dear Dr. RMF, I have an information system that is current-ly being assessed and authorized and the boundary consists of desktops, laptops, printers, a major OS, and about 10 to 15 applications, which is spread throughout an enterprise. In reviewing the DoDI 8510.01 and the definition of IT products it…
Dear Dr. RMF, In my office we are disputing whether RMF Control SA-4 can be inherited, or if it needs to be system-specific. The control description includes the work “Organization”, but the compelling evidence (per eMASS) calls for SSP. Furthermore, the Assessment Procedure calls for the contract/agreement to be inspected….
