Dear Dr. RMF,
What is the purpose of having all personnel register at the DTIC website to receive update notifications? If we do not implement this, do we need to submit POA&M for risk acceptance to the AO?
Regarding CA 1.6, the expression “What were they thinking?” comes to mind. Dr. RMF has no idea why they thought it so important that everyone in an organization subscribe to DTIC. That said, you pretty much have no choice but to mark that CCI non-compliant and, as you said, approach your AO for an “acceptance of risk”.
Upon further research, it appears the Army has dealt with the problem by virtue of a common control that is inheritable by all Army programs. In essence, the common control states the Army has its own way of notifying personnel of updates to policies, etc., and this serves as a “compensating control” in lieu of the DTIC requirement.
I hope that helps.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.