Excellent narration and video. Thanks for your time and efforts. I am a CISSP and a cybersecurity professional trying to get into the world of GRC. This was very helpful.
@kamilsec!!! You make me relive the training section in class man. You are always best at what you do brother. I am so honored to have you as my instructor and mentor in this Cybersecurity domain. ❤
Awesome Info. Thanks for always pushing out informative content in regards to our RMF Journey in the cyber world. You simplify and explain to your best ability. Its really helpful !! God Bless KamilSec !!!
wooooooooooooow kamil U THE REAL DEAL BLESS UR HEART BRO. THE KNOWLEDGE YOU JUST PUT OUT THERE IS AWESOME. WELL EXPLAINED VIDEO AND ON POINT THE SKY IS UR LIMIT BRO!
Excellent I learn alot, I have gone through two classes on the rmf, no details like you break down the control implementation, you explain very well the details on Exata, and Csam, tools, and I did not understand appendix D and F and the difference s but now do very well, thanks alot.
Very very Good material you are putting out here Man. And the most diffrence here is that beside going through the basic of explanations, You break it down with a Hands On exercice. Good job. I am new in this RMF, But you make it not to be scarry at all just by following your tutorial.
@kamilsec It's almost 1am here, I just binge watched your categorization video and this one :) I really enjoyed both videos and have a lot more clarity on these topics. Thanks so much for this selfless service!
DOJ's proprietary Cyber Security Assessment and Management (CSAM) automates assessments and authorizations to provide a comprehensive assessment and continuous monitoring service. More than 20 government agencies depend on the CSAM service to fulfill their Assessment and Authorization (A&A) needs. It provides the capability to assess, document, manage, and report on the status of information technology for the risk management framework. XACTA is also similar tool
You are very good sir I really really enjoyed your video.I’m taking a RMF class and this was one of the most confusing part but with your video it made me understand very well with the nist 800-53 and all the appendices selection controls..thank you plus I just subscribed to your channel 😁😁👏👏
Great video prof, can I please ask why you didn’t use the fedramp ssp template or is it still the same? Or after selecting the controls in the spreadsheet do we transfer the information in it to the fedramp moderate ssp template.
I must say you provide great insight and clear explanations, based on the RMF the step after control selection is Implementation but through your videos I saw all the steps except the Implementation. I watched this video and just asking if the entire Implementation is the statement you provided towards the end of this video?
Hi Idara, no... the implementation step is more than that. Depending on the type and class of the control, the implementation process will vary. For instance if we are dealing with Technical controls that requires the developers or the engineers to deploy a code or even hardware device, then we will have to sit or meet with them so they explain the process and we write the Implementation Statement based on the explanation. In some cases the developers can write the steps for us and we (Security Analyst) will craft the Implementation Statement. However if the controls are Operational and Management controls that are all documentaions the Security Analyst can work with the System Owner to address the organizational process to write the Implementation Statement. So in a nut shell Implementation Statement is not generic, it is subjective based on the family and class of the control in questions.
Thank you so much for sharing. Very helpful. Can I get all your video links? I will be seeking a cybersecurity job in a few months., Now on security plus training.
@kamilsec, so this spreadsheet is totally different from SSP? To my understanding, this spreadsheet is created by ISSO and system owners? then Authorize official(AO) authorized it.
Yes the spreadsheet is different, in some cases the spreadsheet is embedded into the PDF copy of the SSP. The spreadsheet, if it is being use in the agency, then there is a template that every system follows.
If the crm from Fedramp has the wrong controls selected, and I have to tailor the service provided system specific(Inhereted, if I am correct), and the service provider Hybrid(hybrid) how do I know which control to apply to which. Please if you have an easier way of contact dont my sharing. I am using csam as the tool, but I am not sure how to select the proper controls or tell which controls go to where.
Not all, some controls that relates to SA will need some system owner inputs, some will be system admins that will help you write the Implementation Statements.
Hi De Way, If the control is not implemented, then is it Planned or Compensated? That answer should be in the implementation column. Hope that answers your question.
Hi Chibinezie, Implementation statements are not in any document. As a Security Analyst or ISSO you have to write some and coordinate with the sys admins to write some.
Nkum, So being that AC-3 is selected for all the 3 baseline (Low. Mod and High systems) if for some unlikely reason, this control is not implemented on a system then you will need a higher level signature approving why this control is not needed, and therefore Tailored.
Watching these videos are helpful, there is no need to waste your money on rmf classes.
You are right I pray that God bless KamilSec
I am glad my videos are helpful...
Thanks!
This is what I was looking for, for a long long time
I am glad you found it! Please share so others can see it
@@KamilSec I've ❤️❤️.
Are you planning to create a new video with a newer version, I'm happy to collaborate and participate in the making of it
This is my second time of watching your above presentation . You really made it very easy to understand. You are a genus. Thank you.
You're very welcome, glad it was helpful!
Wow, most people will charge for this beautiful illustration. Great job and thank you. Subscribing
You're welcome! I am glad it was helpful and thanks for the sub!
I love the way you break things down. Will need interview guidance.
Thanks for sharing these videos!
You're welcome Kwaku
Excellent narration and video. Thanks for your time and efforts. I am a CISSP and a cybersecurity professional trying to get into the world of GRC. This was very helpful.
I am glad it was helpful. Best of luck!
@kamilsec!!! You make me relive the training section in class man. You are always best at what you do brother. I am so honored to have you as my instructor and mentor in this Cybersecurity domain. ❤
Thanks Michael...
Awesome Info. Thanks for always pushing out informative content in regards to our RMF Journey in the cyber world. You simplify and explain to your best ability. Its really helpful !! God Bless KamilSec !!!
Glad it was helpful! Thank you!
wooooooooooooow kamil U THE REAL DEAL BLESS UR HEART BRO. THE KNOWLEDGE YOU JUST PUT OUT THERE IS AWESOME. WELL EXPLAINED VIDEO AND ON POINT THE SKY IS UR LIMIT BRO!
Thanks Steve!
Excellent I learn alot, I have gone through two classes on the rmf, no details like you break down the control implementation, you explain very well the details on Exata, and Csam, tools, and I did not understand appendix D and F and the difference s but now do very well, thanks alot.
Glad it was helpful! Appreciate your comment and commendations... Thanks!
Best of all explanations in the world so far. Big ups and bless up
Thanks Lawrence!
Thank you Sir for the lovely break down. I wish to ask if you have a hands on video for the Implementation step ?
Not yet on UA-cam
Very very Good material you are putting out here Man. And the most diffrence here is that beside going through the basic of explanations, You break it down with a Hands On exercice.
Good job. I am new in this RMF, But you make it not to be scarry at all just by following your tutorial.
I appreciate that!
I have sent you an email
Please respond in order to initiate a meeting and live discussion.
Thanks
Excellent practical and hands-on presentation. Great job!
Glad you liked it!
You are so good! This video was super helpful and it felt hands on.
Glad it was helpful!
@kamilsec It's almost 1am here, I just binge watched your categorization video and this one :) I really enjoyed both videos and have a lot more clarity on these topics. Thanks so much for this selfless service!
You're very welcome, I am glad the videos were helpful.
Why we do have so many likes for this video folks? Thanks my dear for our this free infos.
thank you for the implementation statements in the video description. that was very helpful
Glad it was helpful!
this was very deep. i am informing all my friends to subscribed to this page .
Much appreciated Seth.
Super helpful!! Great content, great voice and even greater facilitator. God bless bro
Glad it was helpful! Ameen and Thanks!!!
The video is easy to understand as the facts are well explained.
i enjoyed listening and learning. can you recommend a simple way to get implementation to save time
To get it simply, you need to understand how the organization implement the controls.
Thank you for the information! What exactly is the CSUM and X Factor software or where can I find more information about them? Would be very useful
DOJ's proprietary Cyber Security Assessment and Management (CSAM) automates assessments and authorizations to provide a comprehensive assessment and continuous monitoring service. More than 20 government agencies depend on the CSAM service to fulfill their Assessment and Authorization (A&A) needs. It provides the capability to assess, document, manage, and report on the status of information technology for the risk management framework. XACTA is also similar tool
You are very good sir I really really enjoyed your video.I’m taking a RMF class and this was one of the most confusing part but with your video it made me understand very well with the nist 800-53 and all the appendices selection controls..thank you plus I just subscribed to your channel 😁😁👏👏
Awesome, I am glad it was helpful. You are very welcome!
Wooow!! Great work there m’mabia.
Thank you 🙌
Great video prof, can I please ask why you didn’t use the fedramp ssp template or is it still the same? Or after selecting the controls in the spreadsheet do we transfer the information in it to the fedramp moderate ssp template.
Dont forget, we do have FISMA assessment and FedRAMP assessment. So this is more on the FISMA Assessment....
I must say you provide great insight and clear explanations, based on the RMF the step after control selection is Implementation but through your videos I saw all the steps except the Implementation. I watched this video and just asking if the entire Implementation is the statement you provided towards the end of this video?
Hi Idara, no... the implementation step is more than that. Depending on the type and class of the control, the implementation process will vary. For instance if we are dealing with Technical controls that requires the developers or the engineers to deploy a code or even hardware device, then we will have to sit or meet with them so they explain the process and we write the Implementation Statement based on the explanation. In some cases the developers can write the steps for us and we (Security Analyst) will craft the Implementation Statement. However if the controls are Operational and Management controls that are all documentaions the Security Analyst can work with the System Owner to address the organizational process to write the Implementation Statement. So in a nut shell Implementation Statement is not generic, it is subjective based on the family and class of the control in questions.
@@KamilSec Great information, thank you for sharing
Great stuff brother. Do you by chance know resources that give examples of implementation details for all the families.
No, I do not have anything like that, partly because different organizations implement the controls differently
God bless you , thank you so much for this ... subscribed and liked
Thanks!
This was very helpful. Thank you
Glad it was helpful Karen!
Thank you so much for sharing. Very helpful. Can I get all your video links? I will be seeking a cybersecurity job in a few months., Now on security plus training.
check out the kamilsec channel homepage: ua-cam.com/users/KamilSecvideos
This was really helpful! Thank you
Glad it was helpful!
Excellent sir! I’ve really learned a lot through this video! Please sir, I would like to know where did you get those implementation statements ?
I am glad the videos were helpful. For the Implementation Statements, I made them up for the purpose of the video.
thank u so much for the videos. i think i saw as reference OMB for AC-11. Correct me if i'm wrong
Could be
Amazing Job!!
this was very helpful thank you very much
Can i get a copy of the spreadsheet?
Thank you very much !!!
You are very welcome!
You are a pro 🎉🎉
Thank you!
hi Kamil can you please do a video on how to select controls using nist 800 - 53b thanks
I think there is not much different from the Rev 4, but I will look into it if need be.
@@KamilSec Thanks very much Kamil
Nice presentation.
Thank you!
You are great.
Thanks for the kind words!
Thank you sir!
You are very welcome!
Thanks so much Kamilsec 🙏
@kamilsec, so this spreadsheet is totally different from SSP? To my understanding, this spreadsheet is created by ISSO and system owners? then Authorize official(AO) authorized it.
Yes the spreadsheet is different, in some cases the spreadsheet is embedded into the PDF copy of the SSP. The spreadsheet, if it is being use in the agency, then there is a template that every system follows.
This is Super
Good day, for people who have already taken a class, do you have a class, specifically for interviews?
lets chat on kaamilzak@gmail.com
Do you have videos for implantation for using NIST SP 800-53 rev 5
Not yet....
@@KamilSec ok…. Thanks i need an hands on on Rev 5
If the crm from Fedramp has the wrong controls selected, and I have to tailor the service provided system specific(Inhereted, if I am correct), and the service provider Hybrid(hybrid) how do I know which control to apply to which. Please if you have an easier way of contact dont my sharing. I am using csam as the tool, but I am not sure how to select the proper controls or tell which controls go to where.
always go by the controls recommended by the baselines and you start your tailoring from there...
@KamilSec, I didn't understand in base of what must be chosen low, medium or high, how can i know?, thanks
You will know what baseline (Low, Med, High) based on the FIPS-199 categorizations.
@@KamilSec thanks 😉
thanks so much for this . Can i contact you for interview guidance
You're very welcome. Yes sure, you can!
PLEASE DOES THE SELECT IMPLEMENTATION STATEMENT PROVIDE SOLELY BY THE SYSTEM OWNER, PLS I NEED ELABORATION FROM THIS POINT
Not all, some controls that relates to SA will need some system owner inputs, some will be system admins that will help you write the Implementation Statements.
very good! Very useful Thanks!
You're welcome. Glad it was helpful!
If the control status is “not implemented” what do you have write under the implementation statement for that control?
Hi De Way, If the control is not implemented, then is it Planned or Compensated? That answer should be in the implementation column. Hope that answers your question.
@@KamilSec how can I get in touch for mentorship
@@deway7408 Kaamilzak@gmail.com
good day, which document can we find the implementation statement?
Hi Chibinezie, Implementation statements are not in any document. As a Security Analyst or ISSO you have to write some and coordinate with the sys admins to write some.
@@KamilSec thank you
Doesn’t eMASS take care of all the documentation and making the use of Excel obsolete?
I mentioned in the video that this process has been automated, however not all Fed agencies use eMass, Xacta and so on.
@@KamilSec Ah definitely missed that! You're spot on with the video. I'm new to RMF and this series has been awesome. Appreciate you!
@kamilsec so if the control is not selected like AC-3, do you still have to put it in system or do you need high up tailor it?
Nkum, So being that AC-3 is selected for all the 3 baseline (Low. Mod and High systems) if for some unlikely reason, this control is not implemented on a system then you will need a higher level signature approving why this control is not needed, and therefore Tailored.
@@KamilSec So when you Tailored the control you still document it on spreetsheet?
Very informative
where can I download this template? thank you
kamilsecfiles.s3.amazonaws.com/UA-cam_Shares/Control+Selection+Homework_Spreadsheet.xlsx
Kamil the great
Please can I contact you privately, this is a very lovely lecture.
kaamilzak@gmail.com
Thanks for this for real
You're welcome bro!
I am about to pay $2k for a cyber security crash course...good idea or naaah?
I will say, it depends on the material and also the past students review of the course...
thanks but your videos do have low volume to them
Hmmm Sorry about that, I am not sure what happened, I checked all videos for audio quality before upload
🎉
Thanks for the information; this is really helpful.
Glad it was helpful!
This was very helpful! Thank you!
Glad it was helpful!