“Identity Crisis” writes:
I am a contractor working on development of a system that is jointly owned by a DoD agency and a federal civil agency (Dept. of Treasury). My company is expected to do most of the “heavy lifting” to develop the RMF package for this system and we are terribly confused as to how we should approach this task. Our boss is not terribly understanding, he seems to think that since DoD and Treasury “both use RMF”, there shouldn’t be any ambiguity and our path forward is clear. How do we convince him it’s harder than he thinks? Beyond that, how do you recommend we approach the RMF tasking?
Dr. RMF responds:
A system under joint ownership needs to have a single designated Authorizing Official (AO). There should be a Memorandum of Agreement (MOA) put in place between the two organizations’ AOs that designates one or the other of them as the “lead” AO. This can sometimes be a long and painful process, but, fortunately, as a contractor, it will not involve you or your company!
Among the issues that will need to be “negotiated” are the RMF roles and responsibilities. It’s critical that there be agreement on which RMF process and control sets are to be used. DoD RMF and Treasury RMF are certainly very similar, but there are key differences that will have to be worked out. For example, the DoD RMF process uses CNSSI 1253 as the process document for system categorization and security control selection. On the other hand, the Treasury RMF process will use CNSS1 1253 for systems designated as National Security Systems (NSS) only; all other systems will use FIPS 199 for categorization and NIST SP 800-53 for security control selection.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/