Sean from US Navy asks:
Dr. RMF, we are working on an acquisition for several new medical imaging devices in our hospital. Each of these new devices contains an embedded computer running the Linux operating system. A connection to the hospital’s data network is used to send imaging data to the main hospital database. Will these systems need their own RMF ATO, or can they be included in the overall system boundary of the hospital and therefore not require a separate ATO? If the new devices require their own ATO, can we add it to the vendor’s scope of work or do we have to do it ourselves?
Dr. RMF responds:
Sean, the question of whether to seek a separate ATO for the new imaging devices depends on the hospital’s overall Assessment and Authorization (A&A) strategy. Some facilities will lump everything into a single system boundary, while others will maintain an ATO for the network infrastructure and separate ATOs for systems connecting to the network. The best way to make that determination is to approach the Authorizing Official (AO) or his/ her designated representative. As for adding RMF to the vendor’s scope of work, you can certainly do that, but keep in mind you’ll need to provide more specific guidance than just “do RMF”. You’ll be far better off with specific tasking to the vendor, such as “evaluate your product against the following STIGs and make appropriate remediations to the system configuration to address non-compliant items”.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.