Dear Dr. RMF,
Please help me better understand RMF Assess Only. Some of my colleagues are saying we should consider pursuing an Assess Only ATO because it’s so much easier than going through the full ATO process. Is that even for real?
Dr. RMF responds:
RMF Assess Only is absolutely a real process. The RMF Assess Only process is appropriate for a component or subsystem that is intended for use within multiple existing systems. The idea is to assess the new component or subsystem once, and then make that assessment available to the owners of receiving systems in order to expedite addition of the new component or system into their existing system boundary. In other words, RMF Assess Only expedites incorporation of a new component or subsystem into an existing system that already has an ATO. And by the way, there is no such thing as an Assess Only ATO. If you think about it, the term Assess Only ATO is self-contradictory. After all, if you’re only doing the “assess” part of RMF, then there is no “authorize” and therefore no ATO.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.