Dear Dr. RMF,
I have recently taken over responsibility for a couple of systems and the RMF packages are a mess! I’m trying to make some sense out of how they handled the STIGs and it just makes no sense to me. When I go through the STIG Viewer, I find numerous STIG items marked as Compliant, but the comments indicate they are actually not compliant and there is still work left to do. Dr. RMF, do you have any idea what might be going on? How do I address it?
Dr. RMF Responds:
Dr. RMF has acquired lots of experience over the decades, but mind reading is still not part of my skill set, so I can’t call you for sure what sort of thought process led to them filling out the STIG Viewer like that. It’s possible they were wanting to be sure none of their non-compliant STIG items translated into non-compliant controls when the STIG Viewer file was imported into eMASS. Dr. RMF is more than a bit surprised that sort of deception actually got past the assessor and the AO, but, as they say, stranger things have happened!
To make it right, you’ll need to go back to the STIG Viewer and correct the compliance status of those STIG items, then re-import the STIG Viewer file into eMASS. You’ll end up with a bunch of non-compliant controls and corresponding POA&M items you’ll need to complete. Better yet, start from scratch and go through the STIGs yourself and fill out fresh STIG Viewer files and import those into eMASS. That way, you can be sure any additional “cover-ups” have been removed.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/