Dear Dr. RMF,
I am doing an annual review for an information system I have. Originally, this was inherited from our network boundary, but in reviewing this again it speaks specifically to information systems, which from my under-standing this cannot be inherited. If I am reading this control correctly it speaks to the information system controlling this service. So if the application I am reviewing does not provide this service would this be N/A, or an exception to the rule and inheritable from the network boundary?
SC-22: Architecture And Provisioning For Name / Address Resolution Service
RMF Inheritance Challenges,
The control you cite absolutely meets the definition of an inheritable control. The “information system” cited in the control actually refers to the network/hosting provider (enclave) within which your system resides. Inheritance is in play because the control: a) is implemented outside your system boundary; and b) inures to the benefit of your system. In order to be fully compliant with your claim of inheritance you should also verify that there is a formal relationship between your system owner and the owner of the hosting enclave (i.e., an MOA, MOU, SLA or contract), and that the hosting enclave is in fact compliant with said control.
All that said, it is possible the hosting provider simply has not chosen to offer this control up as inheritable. That would be an oversight on their part, in my opinion, if they are in fact providing the service. In such a case you could certainly approach the hosting provider and try to convince them to offer this control up as inheritable. Failing that, you could probably get away with declaring the control to be “Not Applicable” to your system, with the following justification: “System XXX does not provide ad-dress resolution services”, which would be a true statement.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.