By Grace Brammer, RDRP
The very first time I heard about a so-called ‘RMF process,’ I was in my freshman year of college. To anyone familiar with the industry, it may come as a shock to hear that my initial exposure to RMF left me with a mixture of emotions—mostly confused, slightly intimidated…yet still intrigued by this aspect of security I had not heard of before. All the publications, controls, rules, and unfamiliar acronyms left me dazed at first—especially the acronyms. I could not fathom how anyone could remember such similarly spelled words! I found myself wondering, “What’s the difference between an ISSO and ISSM?” and “Why do so many control families start with the letter ‘A’?” I had no idea at the time that a little less than a year later, I would find myself working a job supporting an organization that teaches all things RMF—a concept I previously never even knew existed.
What Do You Do for Work?
Surprisingly, one of the most complicated parts of RMF for me thus far has been trying to explain to other people what it is that I do, exactly. For the people I can tell who do not really want to know all about the NIST 800-53r5, or STIGs, or the latest excel spreadsheet I have seen, I give them the short answer: “Cybersecurity!” Being a Junior Consultant however, when it comes to talking with people who are not like my college self and have heard of RMF before, I sometimes can feel unqualified to speak confidently about my work. Luckily, I know now that RMF is such a big process, and there’s no way to realistically memorize everything at once. I may still be learning, Continuing Education is important for a reason, after all.
My latest undertaking has involved working with control families Awareness Training (AT) and Risk Assessment (RA) on a private system. My first real consulting project has made me realize it is far better to ask questions as they come up, rather than assume you are correct the first time. I made a mistake documenting my very first set of controls when I assumed the system I was working was a DoD-compliant one. A large number of the controls I was reading through came with a note saying, “The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.” I worked the entire control family under the impression these were automatically compliant, when I should have stopped to ask for more information about the system from the beginning. In actuality, the system was a cleared contractor being authorized by DCSA, not the DoD, disqualifying it from the ‘automatically compliant’ status I had assumed would apply to it. All this to say—when doing RMF, don’t do it alone!