By Ernest Smith, CISSP, PMP Requirement (simplified): Do you have contracts and or service level agreements with the owners of any system outside of your authorization boundary that are processing, storing, and transmitting your information? Breakdown: What is an “external information system”? Employee personally owned devices (I said it!) Systems…
By P. Devon Schall, CISSP, RDRP During a recent RMF literature search, I came across an interesting article titled “RMF Applied to Modern Vehicles”. The article was published by Charlie McCarthy and Kevin Harnett in 2014 and sponsored by the National Highway Traffic Safety Administration (NHTSA). The overall goal of…
By P. Devon Schall, M.S., MA.Ed. CISSP, RDRP On April 3rd and April 4th, I attended the Armed Forces Communications and Electronic Association (AFCEA) annual industry event titled AFCEA Belvoir Industry Days hosted at The Gaylord National Harbor in Maryland. The Belvoir chapter supports the Fort Belvoir community by connecting…
By Lon J. Berman, CISSP, RDRP NIST 800-53, and specifically Security Control CM-6, requires an organization to Establish and document configuration settings for information technology products employed within the information system using [Assignment: organizationdefined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; Implement the configuration…
By Lon J. Berman, CISSP, RDRP The Defense Security Service (DSS) serves as an interface between the government and cleared industry. DSS administers and implements the National Industrial Security Program (NISP) by providing oversight and assistance to cleared contractor facilities to ensure the protection of classified information. In short, if…
By P. Devon Schall, CISSP, RDRP With the addition of Step 0 to the RMF life cycle (a preparation step that BAI has been preaching for years which is now being implemented in SP 800-37 Rev. 2), we decided to make this month’s top ten list based on preparation. Preparation…
Security Control Spotlight— Inheritance from a FedRAMP Approved CSP By Kathryn M. Daily, CISSP, RDRP In a previous issue, security control inheritance from an external system hosted at a departmental or agency data center was discussed. In this article, we are going to discuss inheritance from a FedRAMP Approved Cloud Service…
NIST SP 800-53 Rev 5 – Big Changes Coming? By Lon J. Berman, CISSP As you probably know, the “catalog” of security controls used in RMF is derived from NIST Special Publication (SP) 800-53 Rev 4. What you may not know is that NIST is hard at work on SP…
Security Control Spotlight— “Naming” of Controls, Enhancements and CCIs By Kathryn M. Daily, CISSP After assisting numerous customers with their RMF efforts, we have seen several instances of confusion arise concerning the “naming” or “numbering” of Security Controls, Control Enhancements, and Control Correlation Identifiers (CCIs). We hope this short tutorial will…
BAI Announces eMASS Training Program By P. Devon Schall, CISSP We are pleased to announce that eMASS training will now be available from BAI to complement our RMF for DoD IT training program. Course Content Our initial course offering, eMASS eSSENTIALS, is a one-day session in which we provide “how…
