A reader who calls himself “Between a Rock and a Hard Place” writes:
Dear Dr. RMF,
My unit is in the early stages of our RMF efforts for a new information system and we are having a little bit of a “debate” about which “version” of the RMF controls we should be following. I know DoD is in the process of moving from the NIST 800-53 Rev 4 controls to the Rev 5 controls. Some folks here are saying we should stick with Rev 4 since that is the current DoD policy, while others are advising me to “lean forward” and go with the Rev 5 controls since the change is sure to happen “soon”. In either case, I know it’s a major effort to go through all those controls and I want to do it right. What do you recommend, Dr. RMF?
Dr. RMF Responds:
Dear Between,
All other things being equal, Dr. RMF would b put himself firmly in the “lean forward” camp (i.e., go with the Rev 5 controls). That said, Dr. RMF recommends you first seek guidance from your Authorizing Official (AO). I’m hoping he or she will advise you to start with the Rev 5 control set, but you never know. Oh, and there’s one more thing to keep in mind. If your organization requires you to use eMASS, you may find it will not support the Rev 5 controls until a software upgrade, not yet scheduled, occurs. You may be forced to start with the Rev 4 controls and then “convert” your RMF package after the eMASS update takes place.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/