One of my customers was told by their Security Control Assessor (SCA) that they could not get Authorization To Operate (ATO) unless their POA&M had zero open items; in other words, they are expected to be 100% compliant with all the controls in their baseline. What makes this even more ridiculous is that the system in question has no connection to any other system or network – it is literally a standalone system! Does this make any sense to you, Dr. RMF?
Dr. RMF Responds:
The short answer is “No”. The decision to issue an ATO … which, by the way, belongs to the Authorizing Official (AO) and not the SCA … should be based on a judgment that the overall system risk is acceptable. Virtually every system will have some non-compliant controls – perfection is a laudable goal but rarely achievable in the real world. So long as the POA&M presents a realistic
plan to address the non-compliant controls, the AO should at least be willing to consider an ATO or ATO with Conditions. That way, the system can be put into operation while the remaining non-compliant items are addressed.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/