By Lon J. Berman, CISSP, RDRP
All of us who have spent time working with RMF have come to understand just what a time-consuming and resource-intensive process it can be. As bad as that may be, it is made even worse when the same application or system ends up going through the RMF process multiple times in order to be approved for operation in a distributed environment (i.e., multiple locations). It turns out RMF supports three approaches that can potentially reduce the occurrence of redundant compliance analysis, testing, documentation, and approval. These are: Reciprocity, Type Authorization, and Assess Only. This article will introduce each of them and provide some guidance on their appropriate use … and potential abuse!
According to the RMF Knowledge Service, Cybersecurity Reciprocity is designed to “reduce redundant testing, assessing and documentation, and the associated costs in time and resources.” The idea is that an information system with an ATO from one organization can be readily accepted into another organization’s enclave or site without the need for a new ATO. For this to occur, the receiving organization must:
- Review the complete security authorization package (typically in eMASS)
- Determine the security impact of installing the deployed system within the receiving enclave or site
- Determine the risk of hosting the deployed system within the enclave or site
- If the risk is acceptable, execute a documented agreement (MOU, MOA or SLA) with the deploying organization for maintenance and monitoring of the system
- Update the receiving enclave or site authorization documentation to include the deployed system
It should be noted the receiving organization must already have an ATO for the enclave or site into which the deployed system will be installed.
Reciprocity can be applied not only to DoD, but also to deploying or receiving organizations in other federal departments or agencies.
Type Authorization is a specific variant of reciprocity in which an originating organization develops an information system with the explicit purpose of deploying said system to a variety of organizations and locations. Per DoD 8510.01, Type Authorization “allows a single security authorization package to be developed for an archetype (common) version of a system, and the issuance of a single authorization decision (ATO) that is applicable to multiple deployed instances of the system.” Type authorization is used to deploy identical copies of the system in specified environments. Type authorized systems typically include a set of installation and configuration requirements for the receiving site.
The receiving organization Authorizing Official (AO) can accept the originating organization’s ATO package as authorized. This permits the receiving organization to incorporate the type-authorized system into its existing enclave or site ATO. A type-authorized system cannot be deployed into a site or enclave that does not have its own ATO. The receiving site is required to revise its ATO documentation (e.g., system diagram, hardware/software list, etc.) to include the type-authorized system.
Note that if revisions are required to make the type-authorized system acceptable to the receiving organization, they must pursue a separate authorization.
RMF Assess Only
IT products (hardware, software), IT services and PIT are not authorized for operation through the full RMF process. However, they must be securely configured in accordance with applicable DoD policies and security controls, and undergo special assessment of their functional and security-related capabilities and deficiencies. This is referred to as “RMF Assess Only”.
The Information Systems Security Manager (ISSM) is responsible for ensuring all products, services and PIT have completed the required evaluation and configuration processes (including configuration in accordance with applicable DoD STIGs and SRGs) prior to incorporation into or connection to an information system.
Thus, the Assess Only process facilitates incorporation of new capabilities into existing approved environments, while minimizing the need for additional ATOs. Additionally, in many DoD Components, the RMF Assess Only process has replaced the legacy Certificate of Networthiness (CoN) process.
It is important to understand that RMF Assess Only is not a de facto Approved Products List.