Dear Dr. RMF,
Meredith writes:
Hi Dr. RMF! We are working on the RMF package in eMASS for a new system and there is a check box labeled “National Security System”. We’re not sure whether to check this box or not. One of my colleagues thinks we should check the box because “all DoD systems are considered National Security Systems”. That sounds plausible, but still I’m not sure. I’m afraid if we check that box it will have undesirable effects, like adding more security controls to our baseline. Please, Dr. RMF, can you give us some assistance on this?
Dr. RMF responds:
It does seem plausible to think all DoD systems are National Security Systems (NSS). After all, aren’t we supposed to use CNSSI 1253 to guide us through system categorization and security control selection … and CNSS stands for the Committee on
National Security Systems? Alas, it is not true. In fact, most DoD systems are not NSS. NIST Special Publication 800-59 provides the criteria for determining whether or not a system is NSS. All classified systems are NSS, but unclassified systems are only NSS if they meet one or more of seven specific criteria, such as intelligence activities or command and control of military forces.
That being said, why does DoD require the use of CNSSI 1253 on all systems, regardless of whether they are NSS or not? The answer is that DoD wanted to leverage the system categorization methodology as defined in CNSSI 1253, i.e., to have separate categorization for Confidentiality, Integrity, and Availability. Outside of DoD, CNSSI 1253 is only used for NSS. Non-NSS are categorized using FIPS 199, which results in just a single categorization level of High, Moderate or Low.
Anyway, in your case Dr. RMF recommends you consult your system owner to help in making this determination. And, by the way, you can rest easy about that check box – near as we can tell, it is informational only and does not have any undesirable side-effects.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/