Dear Dr. RMF,
In my office we are disputing the intent of RMF Control SA-4(9), i.e., whether it can be inherited or if it is intended to be system-specific. The control description states organization but the compelling evidence call for SSP. Furthermore, the AP procedures calls for contract / agreements to be inspected. I am saying that since this control is talking about contracts/agreements and each contract/agreement is unique to the system, this control is meant to be system specific. Other are saying that since the control says organization then it could be inherited. We have had similar debates over other controls written like this? Is there a standard rule of thumb that could be applied? What is the best way to address controls written like this one? System specific or Inheritable thru a common control boundary?
RMF Control Dispute,
Thank you for submitting your question to Dr. RMF. Firstly, I’m not 100% sure about which control/CCI you are referring to. I do see a CCI on the subject of contracts and agreements, and it is under SA-4, not SA-4(9). That appears to be a system-specific requirement since the number and types of contracts/agreements in place will vary from system to system. In my experience, the contracts/agreements themselves are presented as artifacts in support of this CCI, rather than the SSP itself.
For what it’s worth, the term “organization” is used throughout the control baseline and most often refers to the system owner rather than the “upper command”.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.