Dear Dr. RMF, Meredith writes: Hi Dr. RMF! We are working on the RMF package in eMASS for a new system and there is a check box labeled “National Security System”. We’re not sure whether to check this box or not. One of my colleagues thinks we should check the…
Dear Dr. RMF, “Assessed” writes: Please help me better understand RMF Assess Only. Some of my colleagues are saying we should consider pursuing an Assess Only ATO because it’s so much easier than going through the full ATO process. Is that even for real? Dr. RMF responds: RMF Assess Only…
JZ writes: I have a question regarding Control Enhancement AC-6(3). The control states that the organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs and documents the rationale for such access in the security plan for the information system. Does this mean that every privilege…
Daphne in Kansas City asks: Dr. RMF, we are bidding on a multi-year contract to provide services to a DoD agency. The process is down to the final stage and we are looking good to win the work. Assuming we are awarded the work, the government will be requiring us…
Sean from US Navy asks: Dr. RMF, we are working on an acquisition for several new medical imaging devices in our hospital. Each of these new devices contains an embedded computer running the Linux operating system. A connection to the hospital’s data network is used to send imaging data to…
Tony from OSD asks: Dr. RMF, I currently assess a boundary that includes all of our desktops, laptops, network printers, and some local printers. There are a number of devices (i.e. desktop/laptops) that don’t store Personally Identifiable Information (PII) per se, but will disseminate PII to our records management boundary…
Dear Dr. RMF, I have a boundary for a web application. My SISO wants to move another web application into this approved boundary. The move is because both have similar operating characteristics, security and privacy requirements, and reside in the same environment of operation. As the SCA for the receiving…
Dear Dr. RMF, In my research I cannot find any Agency level documentation that states this, however, I have located examples of contracts that have PII guidance pertaining to contractors. So, would it be considered compliant if I have examples of the contracts or should this be documented at Agency…
Dear Dr. RMF, What is the purpose of having all personnel register at the DTIC website to receive update notifications? If we do not implement this, do we need to submit POA&M for risk acceptance to the AO? Why DTIC, Regarding CA 1.6, the expression “What were they thinking?” comes…
Dear Dr. RMF, In my office we are disputing the intent of RMF Control SA-4(9), i.e., whether it can be inherited or if it is intended to be system-specific. The control description states organization but the compelling evidence call for SSP. Furthermore, the AP procedures calls for contract / agreements to be inspected. …
