Dear Dr. RMF,
In my office we are disputing whether RMF Control SA-4 can be inherited, or if it needs to be system-specific. The control description includes the work “Organization”, but the compelling evidence (per eMASS) calls for SSP. Furthermore, the Assessment Procedure calls for the contract/agreement to be inspected. I am saying that since this control is talking about contracts / agreements and each contract / agreement is unique to the system, this control is meant to be system specific. Others are saying that since the control says organization then it could be inherited.
SA-4 appears to be a system-specific requirement since the number and types of contracts/agreements in place will vary from system to system. In my experience, the contracts/agreements themselves are presented as artifacts in support of this CCI, rather than the SSP itself.
For what it’s worth, the term “organization” is used throughout the control baseline and most often refers to the system owner rather than the “upper command”.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.