“Overlay Layover” asks:
I’m a little bit confused about how to find available security controls overlays. According to the RMF policy (DoD Instruction 8510.01) and the RMF Knowledge Service, approved overlays can be found on the CNSS.GOV website. Well, I keep looking there and all I see are the same handful of overlays that have been there for years (classified information overlay, privacy overlay,
space platform overlay, etc.) I’m quite sure lots of additional overlays have been developed, but there don’t seem to be any new ones showing up. Why is that?
Dr. RMF responds:
Dr. RMF can confirm that there are in fact other overlays out there. It’s not altogether clear why they haven’t shown up as “official” overlays on the CNSS.GOV site. Dr. RMF suspects the process of gaining approval from CNSS may be sufficiently onerous that the overlay developers just haven’t chosen to go that route. Having said that, it is worth noting that many overlays have been developed for specific “communities of interest” and have been shared by some means within the said community. For example, several overlays dealing with classified contractor systems (under DCSA purview) have been made available in “NISP eMASS”, which is exclusive to that community.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/