Top Ten RMF Pitfalls Revisited

By Lon Berman, CISSP of BAI Information Security

Like any complex process, RMF is not without its share of potential pitfalls.  Now that we have the benefit of some more RMF projects under our belt, we thought it was time for a “revisited edition” of the RMF Top Ten Pitfalls.

10. Assuming system boundaries have remained the same.

While transition from DIACAP to RMF will not in itself cause system boundaries to change, it is critical to confirm the system boundary before beginning the RMF process.

9. Assuming roles and responsibilities have remained the same.

RMF transition certainly changes the names of some key roles (e.g., DAA is now AO), but, beyond that, it’s important to confirm the individuals’ names. Many organizations are using the RMF transition as a opportunity to also assign new people to many roles.

8. Assuming system categorization will be easy.

System categorization is a major task, involving information owners and system owners, as well as cybersecurity personnel. Be sure to allow sufficient time to get it right!

7. Assuming security control inheritance will be straightforward.

Inheritance from common control providers such as DoD data centers involves close coordination and attention to detail. Inheritance from commercial cloud providers can be even more challenging.

6. Failing to consider security control overlays.

Failure to properly account for security control overlays can cause critical security controls to be missed. The Privacy Overlay requires particularly close attention because it entails an additional “categorization” step.

5. Underestimating the lead time required for independent assessment.

RMF assessor teams are busier than ever. Be sure to make contact early to ensure timely service and avoid overall project delays.

4. Expecting too much out of existing documentation artifacts.

RMF controls are much more detailed about what needs to be present in the various documentation artifacts (e.g., Incident Response Plan). Do not assume all the controls are covered just because you already have an artifact by that name.

3. Underestimating the training required.

It takes specialized knowledge and skill to successfully navigate the RMF process, understand the controls, etc. Training can get your staff “up to speed” quickly.

2. Underestimating the time required.

It is critical to be realistic about the time required to get through the RMF process. It is absolutely appropriate to get started one year prior to the required date, even for an already accredited system.

1. Underestimating the resources required.

The biggest single pitfall is underestimating the resources required to successfully execute the RMF process. The required resources span a variety of skill sets, to wit:

  • Security analysts (to understand the controls and assessment objectives)
  • System engineers (to plan for implementation of technical controls)
  • Technical writers (to develop and/ or revise system documentation artifacts)
  • Data entry personnel (to enter information into an RMF support tool such as eMass) … and more!

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.