“Secret Admirer” writes:
I’m finally ready to admit it publicly … I’m a huge admirer of Dr. RMF … Oh, how I love a man in a white coat!
Beyond that, I do have an RMF-related question. I’m an application developer in my company and I just found out our system engineers are handling STIG compliance in a very “odd” way. What they do is they scan the server with SCC and for any items that come up non-compliant they just write “Necessary for system functionality” in the STIG Viewer. They don’t even try to remediate the finding. When I pointed out how wrong this is, they told me the government ISSM had approved what they are doing. I tried appealing to my boss but he told me “that’s engineering’s problem” and I should stay out of it. Please, Dr. RMF, tell me what I can do to fix this.
Dr. RMF Responds:
I agree you’re in a difficult position, but the good news is this is a problem that may very well fix itself, so to speak. The system your company is developing will undoubtedly need to go through independent assessment before an ATO is approved. If the assessors are at all on the ball, they will quickly pick up on this “creative” approach to STIG compliance, and may very well write this up as a high risk finding. The government ISSM will then find himself in the position of having to ask your company to revisit the STIG compliance effort and actually do it right.
By the way, for what it’s worth, if Dr. RMF was in charge of things, that ISSM would find himself out of a job.
Oh, and one more thing. Dr. RMF thanks you for being a not-so-secret admirer. But please, let’s just leave it at that. After all, I am a married man and I wouldn’t want Mrs. RMF getting upset
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/