Good day, all;
I am taking an informal poll --- does anyone else serve as an Information Systems Security Manager (ISSM) or Officer (ISSO) and/or work with DoD Risk Management Framework (RMF) or NIST SP 800-53?
Charles @cindelicato ,
Until my retirement in Spring 2018 I worked for many years (10+) with the entire RMF set of NIST SP's 800-37, -53, -53A, etc., as a contractor for multiple DoD organizations and also for the VA. In one of those engagements the ISSM appointed me as one of several ISSOs to assist in the RMF process for new systems being developed.
I try to stay aware of updates in the RMF family, but admit I am probably not current on RMF practices today.
I mostly do CDS work these days but am also the ISSE on two small RMF packages. The Navy has its own spin on how RMF works. Beyond that, each Echelon II can be different as well. It makes life fairly interesting.
In about 4-6 months, I am looking forward to retirement. IMHO, the best way to deal with RMF is in the rear view mirror. LOL.
I have been in positions working DoD DIACAP/RMF and NIST managing system packages and assessments over 15yrs. Government positions will require a security clearance (typically already active and agency specific) in addition to certification and experience. Most positions are gradually being converted over to government and typically have a minimal contractor support staff.