Security Control Spotlight—By the Numbers

By Lon J. Berman, CISSP of BAI, Inc.

In this issue’s “Spotlight”, we’re not going to focus on any specific controls or families, but rather on a comparison of RMF controls and DIACAP controls.

The majority of DoD information systems are currently categorized under DIACAP as “MAC II Sensitive” or “MAC III Sensitive”. These categorizations equate roughly to “Confidentiality-Moderate, Integrity-Moderate, Availability-Moderate” or “Confidentiality-Moderate, Integrity-Moderate, Availability-Low”.

Per DoDI 8500.2, a total of 100 IA controls are applicable to a MAC III Sensitive system, while 106 are applicable to a MAC II Sensitive system. Consulting the DIACAP Knowledge Service, we find a total of 148 Assessment Procedures for a MAC II Sensitive system and 161 for a MAC II Sensitive system.

If we go through the same process under RMF, using CNSSI 1253 to do the control selection and NIST SP 800-53 as the “catalog” of controls, we find the total number of controls applicable to the “Moderate-Moderate-Low” baseline is approximately 160. Approximately 170 are applicable to the “Moderate-Moderate-Moderate” baseline. However, this does not take into account the control enhancement, which, for all intents and purposes, are like controls in themselves. The total number of applicable controls and enhancements or the “Moderate-Moderate-Low” baseline is about 380, and about 400 for the “Moderate-Moderate-Moderate” baseline.

Are you frightened yet?

Now, let’s go one step further and count the number of assessment procedures (NIST SP 800-53A, Rev 4) required to cover all these controls and enhancements. Let’s just say the number exceeds 1,500 for both the “Moderate-Moderate-Low” and “Moderate-Moderate-Moderate” baselines.

Is there any good news in all of this? Well, maybe just a little bit. It’s not quite fair to equate RMF assessment procedures with DIACAP assessment procedures. The RMF assessment items are much more granular, so, even though there are 10 times as many assessment procedures, there’s probably not 10 times the effort required to do an RMF assessment as there is for a DIACAP validation of the same system. Also, because the RMF assessment procedures are so granular, there is much more opportunity to use automated procedures for at least some fraction of them.

All that said, however, it is clear the level of effort associated with RMF promises to be significantly greater than it was for DIACAP. Just how much greater remains to be seen as DoD systems begin transitioning to RMF.

Everyone from top-level management down to the cybersecurity “boots on the ground” need to be mindful of the “adventure” that awaits us.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.