Dear Dr. RMF,
We are having a dispute in our office about how to handle security control selection for a “non-National Security System” (non-NSS). We know DoD has mandated that System Categorization and Security Control Selection shall be done “in accordance with CNSSI 1253”. However, the CNSSI 1253 security control baselines include numerous controls that are intended for use in NSS only; these are the ones marked with a plus sign (“+”) in CNSSI 1253 Appendix D.
The two schools of thought are:
- Since the controls marked with a plus sign are intended for use in NSS only, we are justified in tailoring them out of the baseline (or making them NA) for a non-NSS
- The DoD mandate to use CNSSI 1253 for security control selection implies that all controls in the baseline (including those marked with a plus sign) are in scope.
It’s quite a few additional controls, so we want to be sure we’re going about this correctly. Please Dr. RMF, can you point us in the right direction here?
It does seem logical that controls marked as being applicable to NSS only should not be included in the baseline for non-NSS. However, this question has been hotly debated within DoD and it has been determined that the DoD mandate to “use CNSSI 1253” requires that *all* controls should be included in the baseline, even those marked with the plus sign. If you’re using eMASS to manage your RMF package, you’ll see that all controls are included in the baseline by default. It is not considered acceptable by most independent validators for the system owner to tailor out the “NSS-only” controls. Sorry for the bad news!
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.