Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Dir of Marketing
Jnelson@corsec.com

          

The post Fed Roundup: July 2024 appeared first on Corsec Security, Inc.®.

DISA’s January News

• DISA’s Mission Partner Engagement Office (MPEO) increases forum frequency

NIST’s January News

Announcement:

• NIST PQC Standardization Process Candidates Announced

Releases & Special Publications:

• Draft NISTIR 8196, “Security Analysis of First Responder Mobile and Wearable Devices
• NISTIR 8011 Volume 3, “Automation Support for Security Control Assessments: Software Asset Management
• Draft Special Publication 800-189, “Secure Interdomain Traffic Exchange: BGP Robustness and DDoS Mitigation
• Risk Management Framework (RMF) updated – specification in NIST Special Publication (SP) 800-37 Revision 2
• NIST Internal Report (NISTIR) 8240, Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process

NIAP’s January News

Updates:

• None

Protection Profile Posting:

• Functional Package for Transport Layer Security (TLS) Version 1.0 Published

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

          

The post FED ROUNDUP: JANUARY 2019 appeared first on Corsec Security, Inc.®.

Corsec’s Kathleen Moyer discusses the myths and nuances of RMF and how companies can leverage it to create competitive advantages. Kathleen addresses the key questions from some of the companies that have come to us.

What is RMF and How Does It Affect My Business?

RMF, the Risk Management Framework, is laid out in the Federal mandate DODI 8500.01. As part of the current implementation of the Federal Information Security Management Act (FISMA), RMF instructs DISA to develop and maintain SRGs, STIGs, and usage guides that are consistent with DOD cybersecurity policies. In addition, it states that DISA shall oversee and maintain the connection approval process (“provides existing and potential NIPRNET, DATMS-U, and OSD Commercial Internet Waiver subscribers with connectivity requirements that must be followed” – DISA). There are six steps inherent to RMF: categorize, select, implement, assess, authorize, and monitor.

In terms that industry can understand, RMF provides a structured approach to managing the risk associated with the incorporation of information systems into an organization. If an organization wants to sell its security product to the DoD, it needs to follow RMF. Therefore, if a company wants to penetrate any of the following US DoD markets: Air Force, Army, Marines, Navy, or National Guard, then it must ensure its security solutions adhere to the guidelines laid out in RMF.

Where Is the DoDIN APL In This?

DoDIN APL (Information Network Approved Product List) is a component of RMF; it is the connection approval process as defined by DoD 8100.04. Below are the four requirements for RMF:

1. Unified capability products will receive unified capability certification for cyber security products in accordance with DoD 8100.04 (this is DoDIN APL).
2. Products that protect classified information must comply with CNSSP 11 (this calls for FIPS 140-2 and Common Criteria).
3. Products must meet security configuration guidance in accordance with Chapter 113 and comply with the connection approval process established in Chairman of the Joint Chiefs of Staff Instruction 6211.02D (calls out DISA “connect approval” i.e. DoDIN APL, as well as FIPS, Common Criteria, and Suite B)
4. Products will comply with the requirements of DoD 5200.44 (covers supply chain management), as applicable.

Companies going through the DoDIN APL Government Testing will get a SAR (Self Assessment Report) from the Test Center, which comes with a DIACAP Scorecard and 8500.2 IA Controls.  As JTIC tests the STIG/SRG requirements they are also testing these areas.  Vendors often do not see the filled out DIACAP Scorecard or 8500.2 IA Controls as it is can be buried in the plethora of forms that face them.

RMF is a replacement for DIACAP; UC APL testing provides a mapping to the old DIACAP scorecard. The STIGs and SRGs that are used in DoDIN APL form a major piece of RMF. As the transition to RMF continues, the DoDIN APL process will be modified to support RMF. The Test Reports, Plans of Action and Milestones, IA and IO certification’s received through the DoDIN APL can be used to support the RMF process. The DIACAP scorecard will be replaced with a RMF Security Assessment Report (SAR). As a part of the DoDIN APL process the vendor receives an IO Authorization from the DoD CIO. As a result, RMF also sets guidelines for FIPS, Common Criteria and Suite B.

How Does This Impact Certifications In-flight?

Every company’s approach to certifications and security validations is unique. Corsec reviews the ever-changing requirements and advises companies on what changes need to be made, and the implications in the broader landscape.

Conforming to RMF is Just One Piece of The Puzzle

If you have not started the process yet and are being asked to comply with RMF, perhaps we can help.

Contact us and help us understand how RMF is impacting you and how we can assist you.

The post RMF: Is It Replacing the DoDIN APL and other Security Certifications? appeared first on Corsec Security, Inc.®.