Services

Contact us for a free 30-minute consultation. Fixed price and hourly rates available.

Proposal Support

Does your must-win proposal have an OSCAL, cATO or Cybersecurity Automation requirement? Would that be a discriminator?
Brian has an excellent win-rate architecting cybersecurity responses.

OSCAL Enablement

Trying to determine how to get started with OSCAL? There are many options.
Let the co-author of the OSCAL specification help you determine the best starting point for your organization.

Training

Canned or tailored training available for your sales, proposal and technical teams.

Enterprise Security Architecture

Increase the efficiency and effectiveness of your organization’s cybersecurity practices across your portfolio of systems and teams.

Allow staff to focus more on risk management and secure operations, but reducing their level-of-effort on compliance.

Cybersecurity automation is only successful when it reduces the friction for cybersecurity practitioners and their organizations.

About

35 Years of Success Across Government and Industry

The Best Experience
  • OSCAL Co-Creator
  • FedRAMP PMO Authorization Lead
  • Cloud Service Provider Trust and Compliance Manager
  • Assessment Automation Design and Implementation
  • Air Traffic Control System Support
  • Telecommunication Industry Cyber Solutions
  • Pharmaceutical Industry Cyber Program Manager
  • Financial Industry Cyber Program Manager
  • Government Agency Support: CBP, DoD, DOL, EPA, FAA, FedRAMP PMO, NRC, US-CERT
  • Over 20 Proposals as Cyber Solution Architect/Cyber Tech Prop Lead with >85%
Photo of Brian Ruf
Brian Ruf

Owner

The Right Skills
  • Business Process Re-engineering (BPR)
  • Process Automation
  • Quality Management (QM)
  • Enterprise Security Architecture
  • Information Technology (IT) Administration
  • Software Engineering
  • Cybersolution Architect
The Right Certifications
  • Certified Information System Security Professional (CISSP) since 2000
  • Project Management Professional (PMP) since 2009
  • Certified Cloud Security Professional (CCSP) since 2019

Brian represented the FedRAMP PMO on the NIST OSCAL Team. His mission was to ensure the OSCAL specification fully supported the PMO's processes.

Brian developed the initial draft of the OSCAL SSP, AP, AR and POA&M models based on his experience as a FedRAMP Authorization Lead. His drafts were influenced by past experience with data modeling, business process re-engineering, software engineering, and automation of cyber processes.

Brian then worked closely with the NIST OSCAL Technical Lead to ensure these models also supported broader government and industry needs, including Continuous Compliance/cATO use cases.

Brian also developed the first FedRAMP Guides to OSCAL Content.

Frequently Asked Questions

Where is the best place to start with cybersecurity automation?

There is no one right answer to this question. It depends on your organization's mission, the type and complexity of your systems, and the maturity of your existing security/compliance processes.

If you would like a fixed-price analysis and recommendations, contant us for a free 30-minute consultation and quote.

How can I learn more about OSCAL?

The NIST OSCAL site is the best place to start learning about OSCAL. For additional OSCAL resources, check out https://OSCAL.io

Where can I find existing OSCAL content?

OSCAL content is becoming more prevalent all the time. Some of the best places to find OSCAL content include the NIST OSCAL Content GitHub Repository, the FedRAMP PMO's Automation GitHub Repository, and the OSCAL Content Registry.

Where can I connect with others in the OSCAL community?

First, check out the NIST OSCAL mailing lists and Element/Gitter channel.

You may also wish to check out the LinkedIn OSCAL Community and if you are the DC metro area, check out the Mid-Atlantic OSCAL Community Meetup Group.

What is Continuous Authorization to Operate (cATO), Continuous Authorization, Continuous Assessment, or Continuous Compliance?

These are similar terms with nuanced differences in meaning. What they have in common is the use of automation to continuously monitor a system with the goal of detecting any changes that would bring the system out of compliance.

Achieving this requires a holistic approach to documenting the system's security controls accurately and managing the system's configuration through effective configuration management and predictable deployment mechanisms.

Most organizations need to take an incremental approach, achieving this goal in phases.

If you would like a fixed-price analysis and recommendations, contant us for a free 30-minute consultation and quote.

Contact us

Please contact us for a free 30 minute consultation.

Dulles, VA

1-571-406-4732

service@rufrisk.com

https://www.linkedin.com/company/rufrisk/