“Teamwork? I think not!” writes:
Dear Dr. RMF,
I am trying to put together a team to work the RMF process for a new system that’s under development. I got the bright idea of having each of the team members take responsibility for the security controls that are pertinent to their area of responsibility, to include entering the data for their controls into eMASS. Sounds great, right? Well, I am getting all kinds of pushback from several of my team members. They are just not willing to go through all the steps (e.g., taking eMASS training and passing a test) required to get access to eMASS. They would rather send me their input and have someone else (i.e., me) enter it into eMASS. After all, they say, “they are not the security person”, I am. My feeling about what they are doing is that it’s nothing but “work avoidance” on their part. I think they are trying to take advantage of the fact that I am young and have never led a team before. What do you think, Dr. RMF? Am I justified in bringing this to the attention of my boss to see if he can use his “weight” to get these people in line?
Dr. RMF Responds:
What you are suggesting sounds like a good approach in theory, but the reality is eMASS does not readily support it. Your approach would work if eMASS access for each individual could be restricted to only the set of controls assigned to them. Unfortunately, eMASS does not have that level of “granularity” in its access controls. Dr. RMF feels it is not worth the risk of error to open up access to all the security controls to inexperienced individuals whose responsibility only includes a select few of the controls. It will be better in the long run if you accept the team members’ input by e-mail or a shared file system and do the actual eMASS data entry yourself. Better still, Dr. RMF recommends you assign at least one other team member as your “backup” for eMASS data entry and make sure that person is fully trained and has full access to the eMASS record for your new system. With a backup person in place, the two of you could potentially “share the labor” of data entry.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/