By Lon J. Berman, CISSP, RDRP
More than ten years ago, RMF came into existence with the intention of becoming the “unified information security framework for the federal government”. With widespread adoption of RMF throughout most federal civil agencies, DoD components and intelligence community agencies, it is safe to say that goal has been met. However, it is important to understand that while RMF is a unified information security framework, it is not a 100% uniform information security framework. There are differences … some significant and others subtle … in the way RMF has been put into practice in the various departments and agencies.
Almost all departments and agencies have adopted the key RMF publications, such as NIST SP 800-37. They have then adapted this guidance into their own departmental or agency level policy. This article will highlight some of the adaptations that we see across the government landscape.
RMF Roles and Responsibilities.
One of the key areas of adaptation is the appointment of the Authorizing Official (AO). Many agencies appoint a single AO to be responsible for issuing and monitoring the Authorization to Operate (ATO) for all systems within the agency. Smaller agencies that don’t have a large number of systems are the most frequent ones to have a single AO, but there are large organizations, such as the US Navy, that have also embraced this approach. In the case of a large agency with a single AO, the AO will typically have a large staff to handle most of the mechanics of the authorization process. Many large organizations have multiple AOs to cover the various mission areas and programs.
Most government organizations handle RMF system registration under the larger umbrella of IT Portfolio Management. Each department or agency has its own database for this purpose, and its own process for creating and updating records in that database.
NIST SP 800-37 specifies each system will be categorized as having a security impact level of High, Moderate or Low, using the categorization process delineated in Federal Information Processing Standard (FIPS) 199. However, systems designated as National Security Systems (NSS) are categorized in a different fashion, following the process delineated in Committee on National Security Systems Instruction (CNSSI) 1253. NSS are categorized as High, Moderate or Low for each of the three principal security objectives: Confidentiality, Integrity and Availability. That’s how it plays out in most departments/agencies, however DoD is a notable exception – all systems, both NSS and non-NSS, are categorized in accordance with CNSSI 1253.
Security Controls and Overlays.
Each department and/or agency may have its own unique set of overlays. Most overlays add security controls to the baseline to deal with specific types of systems (e.g., industrial control systems) or specific information content (e.g., classified information, privacy information).
Each department and/or agency will have its own approach regarding independent assessment (RMF Step 4). Some will maintain a dedicated staff of assessors to perform system assessments, while others rely on system owners to conduct self-assessments which are then reviewed by a staff assessor.
Many departments and/or agencies have standardized on an automated tool that is used by system owners to document their compliance with baseline controls, store and index documentation artifacts, record test results, etc. For most DoD agencies and a few outside DoD, the government-owned Enterprise Mission Assurance Support Service (eMASS) is the tool of choice. Commercial RMF tools such as Telos Corporation’s Xacta are employed in various departments and agencies across the government landscape. Still other organizations have built their own tool or database to collect RMF information. The lesson learned here is that while RMF is largely the same across the government, there are numerous unique features in each department/ agency’s implementation. If you are responsible for creating or maintaining an RMF package, be sure you engage with the owning organization’s Information System Security Manager (ISSM) to obtain the RMF policies and guidance relevant to that organization.