Skip to main content

Dear Dr. RMF – Let’s Get Physical

RMF

“Let’s Get Physical” asks:

Control Enhancement AT-3(2) states “The organization provides … training in the employment and operation of physical security controls”. Our system is hosted in the cloud (by a commercial cloud service provider) and therefore we have no physical security controls within our system boundary. At first we thought this should be covered by inheritance, so we requested a list of inheritable controls from our cloud service provider. On there we found the entire Physical and Environmental (PE) family of controls, but nothing in the Awareness and Training (AT) family. If it’s not inheritable, that seems to leave AT-3(2) in our hands. What is the best way to handle this situation in our RMF package?

Dr. RMF Responds:

First of all, Dr. RMF wonders about the name “Let’s Get Physical”. Are you old enough, like me, to remember 1970’s country/pop singer Olivia Newton-John’s hit song? Or do you just watch lots of vintage shows on cable TV?

In any case, Dr. RMF sees two possible approaches to your dilemma. Probably the “most correct” approach would be to approach your cloud service provider and ask them to add AT-3(2) to their list of inheritable controls. The downside of this is it could take lots of time for your request to work its way through the proper channels to get this done and allow you to inherit compliance.

A simpler way would be to declare AT-3(2) as “Not Applicable” in your RMF package and explain the situation in your Security Plan. The one thing that is clear is that your organization does not need to provide any additional training to your personnel in response to this control.

 

Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.

Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity

Dr. RMF submissions can be made at https://rmf.org/dr-rmf/


Post Categories: Dr. RMFRisk Management Framework Tags: