Dear Dr. RMF,
In my research I cannot find any Agency level documentation that states this, however, I have located examples of contracts that have PII guidance pertaining to contractors. So, would it be considered compliant if I have examples of the contracts or should this be documented at Agency level to provide guidance for everyone? From my interpretation this needs to be documented at an Agency level.
AR-3.4: The organization establishes privacy roles for service providers.
AR-3.5: The organization establishes privacy responsibilities for service providers.
AR-3.7: The organization includes privacy requirements in contracts.
AR-3.8: The organization includes privacy requirements in other acquisition-related documents.
RMF Agency Level Documentation,
I agree the use of the word “organization” in AR-3 (and elsewhere throughout NIST SP 800-53) is subject to interpretation. Based on the other verbiage in the control and underlying CCIs, I agree the intent is for the overarching “organization” (i.e., at command or agency level) to have documented standards for these things.
By the way, in NIST SP 800-53 Rev 5 (new version not yet formally adopted by DoD), the use of terms like “The system owner will do this…” or “The organization will do this…” have been replaced with imperative statements, i.e., “Do this…”. In other words, they are stressing the “what to do” over the “who does it”. Whether or not this resolves some of the confusion or adds to it remains to be seen.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.