By P. Devon Schall, CISSP, RDRP
With the addition of Step 0 to the RMF life cycle, we decided to make this month’s top ten list based on preparation. Preparation is often one of the most overlooked aspects of RMF. The road to an ATO is often paved with unexpected setbacks, these setbacks can be overcome with proper preparation.
It is critical to answer the key questions below in RMF project preparation.
10. Has the system been registered with the DoD Component Security Program?
Registering your system and obtaining an appropriate ID number should occur early in the RMF life cycle. If you are using eMASS to manage your RMF project, a registration number, such as a DITPR ID number, is required in order get started. Overlooking this step will likely cause unnecessary delays to your RMF efforts down the line.
9. What is the system boundary?
Having a clear understanding of system boundaries is critical. Start conversations internally with your team to verify everyone is on the same page regarding system boundaries.
8. What is the system’s mission?
We often find folks don’t always understand the details of their system’s mission. Start a conversation with your team about your system. Don’t let insecurity about a possible lack of knowledge interfere with forward progress.
7. Does the system handle PII/PHI?
The handling of PII and PHI could require a privacy overlay which can greatly increase the scope and amount of controls assigned to your system. Perform an assessment of the system and establish if it handles PII/PHI.
6. What controls are inheritable?
Inheritable controls can save you massive amounts of RMF project time. A great example is the utilization of cloud service providers which includes the inheritance of many control families including physical and media protection. Note that inheritable controls must come from a validated source and only systems or services with an ATO can provide inheritable controls.
5. Will we be using an automated tool such as eMASS or Xacta?
eMASS and Xacta can potentially be BIG time savers. “Hand jamming” controls is very time consuming. Find out early in the project if you will be using automated tools and if your staff has the appropriate security permissions AND TRAINING to use these tools.
4. Who is the Authorizing Official (AO) or Authorizing Office Designated Representative (AODR)?
Start conversations with your AO/AODR early in the project to maximize transparency and communication channels. The AO staff are very busy, and it is highly recommended to get on their radar as soon as possible.
3. What is our system categorization?
Learning about the information types your system handles is a critical part of system categorization. Start early with system categorization and researching on information types in NIST SP 800-60 volumes 1 & 2.
2. What will system assessment be performed?
Each DoD component has its own process for independent assessment. Independent assessors often have a backlog of work and cannot perform an assessment on short notice. plan in advance to avoid any time hindrances.
1. Do we need RMF training?
Some things in life are easier to understand by doing extensive Googling and avoiding traditional training delivery methods. RMF is not one of those things. RMF has many intricacies, and it is highly recommended your staff attend baseline RMF training. The time saved in proper RMF education is well worth training time invested.