Dear Dr. RMF,
I have an information system that is current-ly being assessed and authorized and the boundary consists of desktops, laptops, printers, a major OS, and about 10 to 15 applications, which is spread throughout an enterprise. In reviewing the DoDI 8510.01 and the definition of IT products it speaks to HW/SW/Applications as assess only. My question is instead of treating this boundary as assess and authorize, could we make this assess only? (Enclosure 3 (pg. 12 bullet a)).
RMF Assess Only,
The purpose of Assess Only is to facilitate approval of an IT product to be accepted into a larger system that already has a A&A ATO. If the enterprise you speak of has an existing ATO, Assess Only may work for you. You would need to coordinate with the Authorizing Official of the system into which you wish to add these products.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.