“AO Picking on Us?” writes:
Dear Dr. RMF,
We have dutifully followed all the RMF process steps and created all the documentation deliverables (Security Plan, Security Assessment Report, POA&M, etc.). The package was approved by the Security Control Assessor (SCA) and sent on to the AO for final ATO approval and signature … or so we thought! Now we received word that we will be required to do a formal “presentation” of our package to the AO. We were sent a Powerpoint template we will need to complete and be prepared to present. What the……? Just when we thought we were finished, another task has been thrown in our path. Nowhere in the RMF publications (DoDI 8510.01, etc.) is there any mention of such a presentation. Are we being singled out for some reason, or is this a part of everyone’s RMF process (albeit undocumented)?
Dr. RMF Responds:
Dear Picking on Us,
You are correct in one sense. An AO presentation is not a part of the standard RMF process. Evidently, however, your AO does require it. Dr. RMF is quite certain your AO requires it of all system owners within his/her purview. You are not being singled out. Whether you like it or not, your AO has the authority to impose these kind of “additions” to the process, so long as they do not contradict the letter and spirit of the RMF process and security controls. Dr. RMF recommends you just “go along with it” and your life will be easier … no use trying to fight the very person who will be signing your ATO!
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/