Category Archives: Risk Management For DoD IT

IT Security Career Risk Management Framework

So you want to get into Information Technology? Well what do you want to do in IT because there are many different branches of it. I would suggest going into IT security, specifically, Risk Management Framework. It is a very specialized field.

You will need to know the fundamental of IT security. The basics on what goes into securing important data and their hardware. You will also need to have at least a little knowledge of technology and its history. You will need to know a LOT about NIST SP 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems”. You will need to dive into NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations”.

Since not many people want to do this work, or even know about it, there is not much competition. They are always looking for qualified people to do it. What you will need is a 4 year degree (preferably in something technical), an IT certification in security (Security+, ISC2 CAP, CISSP, CASP, CISM,CISA) and a lot of knowledge on NIST 800-37.

 

DIACAP vs DoD RMF for IT vs NIST RMF

There are differences between the old DIACAP (being phased out), DoD RMF for IT and NIST RMF. What is “DIACAP”? It stands for Department of Defense Information Assurance Certification & Accreditation Process and it is based on the old DoDI 8510.01 and DoD 8500 documents. The process was designed to make absolutely sure federal systems have security on them.

With the constant exponential evolution of information technology this process has had to change to keep up with the times. DIACAP is being replaced with DoD Risk Management Framework for Information Technology (DoD RMF for IT). This process has more granularity, more detailed, more frequent and covers many new technology that was not covered by DIACAP. DoD RMF for IT is actually based fundamentally on NIST SP 800-37, Risk Management Framework.

 

 

diarmfs cyber security

What is Risk Management Framework NIST 800 37

Risk Management is being aware of and taking actions to prepare for probable unfavorable outcomes.

Risk Management Framework is a process the implement risk management in an organization.

There are (6) steps to the RMF:
1. Categorize
2. Select
3. Implement
4. Assess
5. Authorize
6. Continuous Monitoring

More on the Risk Management Framework Steps here:

risk management framework steps

STIG Update – DISA has released the following IAVM packages

STIG Update – DISA has released the following IAVM packages


DISA has released the following IAVM packages:
http://iase.disa.mil/stigs/Pages/iavm.aspx

AIX 6.1 Ver 1, Rel 22
Apple OS 10.10 Workstation Ver 1, Rel 11
Apple OS 10.8 Workstation Ver 1, Rel 15
Apple OS 10.9 Workstation Ver 1, Rel 12
BlackBerry 10 OS Ver 1, Rel 13
Cisco IOS Ver 1, Rel 13
HP-UX 11.31 Ver 1, Rel 22
MAC OS X 10.6 Ver 1, Rel 22
Oracle Linux 5 Ver 1, Rel 15
Oracle Linux 6 Ver 1, Rel 15
RHEL 5 Ver 1, Rel 22
RHEL 6 Ver 1, Rel 20
Solaris 10 SPARC Ver 1, Rel 22
Solaris 10 x86 Ver 1, Rel 22
Solaris 11 SPARC Ver 1, Rel 15
Solaris 11 x86 Ver 1, Rel 15
Windows 7 Ver 1, Rel 20
Windows 8 and 8-1 Ver 1, Rel 20
Windows 2008 R2 Ver 1, Rel 20
Windows 2008 Ver 1, Rel 20
Windows 10 Ver 1, Rel 6
Windows 2012 and 2012 R2 Ver 1, Rel 18
Windows Vista Ver 1, Rel 20
zOS Ver 6, Rel 27


For all STIG related questions, please contact the DISA STIG Customer Support Desk: disa.stig_spt@mail.mil

Defense Information Systems Agency (DISA)

STIG Update – DISA has released the Oracle Java Runtime Environment (JRE) 8 STIG Version 1

DISA has released the Oracle Java Runtime Environment (JRE) 8 STIG Version 1. The requirements of the STIG become effective immediately.  The STIG is available athttp://iase.disa.mil/stigs/app-security/app-security/Pages/index.aspx.


For all STIG related questions, please contact the DISA STIG Customer Support Desk:disa.stig_spt@mail.mil


Update your subscriptions, modify your password or e-mail address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your email address to log in. If you have questions or problems with the subscription service, please visitsubscriberhelp.govdelivery.com. All other inquiries can be directed to subscriptions@disa.mil.

 

STIG Update – DISA has approved the signed Cloud Computing Security Requirements Guide v1r2 for public release

DISA has approved the signed Cloud Computing Security Requirements Guide v1r2 for public release. The requirements in this SRG become effective immediately except for those CSPs currently being assessed under v1r1.  The SRG is available on IASE at:http://iase.disa.mil/cloud_security/Pages/index.aspx

DoD Cloud computing policy and the CC SRG is constantly evolving based on lessons learned with respect to the authorization of Cloud Service Offerings and their use by DoD Components. As such the CC SRG is following an “Agile Policy Development” strategy and will be updated quickly when necessary. In support of this strategy, DISA is offering a continuous public review option by accepting comments on the current version of the CC SRG at any time. Please use the comment matrix posted along with the SRG.  We would appreciate it if your comments are limited to critical issues and omissions or recommended coverage topics.

Submit all comment matrices and questions to disa.stig_spt@mail.mil


For all STIG related questions, please contact the DISA STIG Customer Support Desk:disa.stig_spt@mail.mil