Dear Dr. RMF,
First of all, just stumbled across this blog few days ago….awesome! There is piles of documentation but not enough community sourced help for the RMF process. I tried starting an RMF sub-reddit but it never took off!
I have so many questions! But one in particular that is hard to get answers: what are the pros and cons of providing inheritance?
I support a system that will automate access control processes for a number of other systems, which will interface with us through API. We handle the 2875 process, spit them a set of outputs, and their system provisions an account based on what we send. There is a number of other recertification features designed to remediate audit findings, but don’t need to get into the details.
The goal is for us to provide a handful of AC controls to inherit to these connected systems. What types of considerations and risks should we keep in mind when deciding what controls to provide for inheritance?
Thank you so much!
In spite of the fact that your sub-reddit effort was not successful, Dr. RMF commends you for trying to increase the level of communication within the RMF community.
Offering up controls for inheritance is clearly an advantage to the connected systems that interface to you. Inheritance allows them to leverage your compliance and avoid having to deploy their own technical solutions or develop their own documentation in those specific areas.
The challenge is to select controls for which you are able to provide 100% of the implementation. With the obvious exception of physical and environmental controls, there are probably only a few controls that your connected systems can fully implement solely by leveraging your implementation. For many other controls, it is far more likely that your connected systems’ implementation would be a combination of your efforts and theirs. Dr. RMF recommends you consider offering them up as hybrid inherited controls.
The biggest issue that can arise from security control inheritance is that receiving systems tend to “blindly” accept everything a common control provider offers. What they should be doing is carefully reviewing each control that is offered up as inheritable and selecting for inheritance only those that they can truly comply with by virtue of the provider’s implementation.