Daphne in Kansas City asks:
Dr. RMF, we are bidding on a multi-year contract to provide services to a DoD agency. The process is down to the final stage and we are looking good to win the work. Assuming we are awarded the work, the government will be requiring us to maintain a small network of classified computers in our facility. We have a facility clearance and have been working for many years with DSS (now DCSA), but we’ve never had any in-house classified IT. It is our understanding we will need an ATO for these classified computers. What can you tell us about the effort involved?
Dr. RMF responds:
Daphne, the most important thing you’ll need to do is to establish contact with the Information System Security Professional (ISSP) at your local DCSA office. The ISSP is the person who can give you the best advice as to the steps you’ll need to take. You’ll be building an RMF package in eMASS, so getting some training on that tool will be extremely helpful. If you do not have anyone in your company who is familiar with the RMF security controls or the DISA STIGs, then getting some training in those areas would also be critical. You may wish to engage the service of a consultant to help guide you through the RMF process. Dr. RMF wishes you the best of luck in your RMF journey.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.