By P.Devon Schall Ph.D., RDRP
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dear Doctor RMF,
We just received our report from Alex, our independent assessor team lead, and there were a surprising number of findings that were listed as “conflicted controls.” Betty, our ISSM, said it has something to do with STIG compliance, but I’m not sure how that relates to the various controls that are being reported as conflicted. She said we can address these issues by putting them on our POA&M, but I don’t want to do that without understanding exactly what is conflicted and why. I looked through DoDI 8510.01, CNSSI 1253 and NIST SP 800-53, and I don’t see any reference to “conflicted controls”. I thought we did a pretty good job preparing the RMF package and I am surprised at these results. The whole thing is giving me a headache and I need some “medical” advice. Please, Doctor, can you enlighten us on what is going on here?
Frustrated in Fayetteville
I absolutely understand your confusion regarding STIG compliance. When I began learning RMF, I had similar RMF headaches. The remedy to your headaches are understanding that these conflicts are coming from the files you have imported from STIG Viewer. These Continuous Monitoring and Risk Scoring (CMRS) files include STIG compliance results from Security Content Automation Protocol (SCAP) scans as well as “manually entered” STIG results. Each individual STIG item is associated with a control (or, more accurately, with a CCI). In your case, one or more non-compliant STIG settings are associated with controls that you previously marked as compliant in eMASS. You should visit each of the findings in asset manager and determine if they can be made compliant (which will require a new CMRS import and possibly a new SCAP scan). If the “conflicting” STIG items cannot be made compliant, you’ll need to change the status of a control/assessment procedure to Not Compliant in eMASS and create a POA&M item for that finding. Once eMASS matches the findings from your imported CMRS file you will no longer have these “conflicted controls”.
Dear Doctor RMF,
My organization is developing a new system and we were told by our command that we need to pursue an ATO in accordance with RMF. Unfortunately, none of us has a shred of cybersecurity experience. Our manager, Carl, who is not even an IT person, instructed us to look on the RMF Knowledge Service website for guidance on what to do. Mary, one of our technical support people, suggested the DISA website. Both of these look like good sources, but frankly we were overwhelmed by the sheer volume of information out there. We couldn’t even figure out where to begin. We have 12+ months to get this done, which we hope is enough time if we can get off to a good start. Dr. RMF, can you give us some concise guidance on how best to get our efforts going in the right direction?
Lost in RMF-land
Being overwhelmed at the start of the RMF process is VERY common. You are not alone, in my opinion, the majority of RMF issues are rooted in folks being overwhelmed with the sheer volume of RMF information. With the publishing of NIST 800- 37 Rev 2, the first step of the RMF process is Step 0 – Prepare. I firmly believe the best way to operationalize step 0 in in the RMF process is to attend an RMF training program that is chock-full of practical guidance. Whether you choose to attend training through BAI or another organization, I strongly suggest you make sure the program which you enroll in is being taught by RMF practitioners with real-world RMF experience. Unfortunately, training classes can crop up being led by someone with minimal RMF experience teaching from a PowerPoint that was given to them by organizational leaders trying to “make a quick buck” off of the need for RMF training.
Enrolling in an RMF training program is critical to the success of RMF initiatives. As Dr. RMF, I am currently conducting peer reviewed research to support this hypothesis. For additional information on the relationship between the receipt of formalized RMF training and perceptions of RMF effectiveness my doctoral dissertation can be found at www.rmf.org/rmfdissertation.
Dear Doctor RMF,
We recently went through RMF assessment and we were told that numerous CCIs were non-compliant because we had not provided “compelling evidence”. To the best of our knowledge, we had artifacts showing policy and procedure (SOP) covering each control/ CCI in our baseline. Dr. RMF, please help us understand what more we can provide in the way of evidence that will make these items compliant?
Compelled to Write
Unfortunately, RMF can be a very subjective process! My recommendations would be to review your non-compliant CCI’s and make sure you have provided evidence that sufficiently examines, interviews, and tests the controls. Although not all of these topics can be shown with physical evidence the examples below may help.
EXAMINE Review, observe, analyze assessment objects (i.e., specifications, mechanisms, or activities) to facilitate assessor understanding, clarification, or obtain evidence.
INTERVIEW Conduct discussions with individuals or groups to facilitate understanding, clarification, or obtain evidence.
TEST Run assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. Examples: automated test tools output, system configuration screen shots.
The full body of compelling evidence for each Control/CCI should include the following:
- Policy – a statement that the organization does do what the Control/CCI mandates
- Procedure – documentation that shows how the organization does what the Control/CCI mandates
- Evidence – documentation that demonstrates that the organization is actively utilizing the documented procedure