Anyone out there dealing with the DoD implementation of the NIST 800-37 RMF? Just in case, it’s the “Guide for Applying the Risk Management Framework to Federal Information Systems” developed by the Joint Task Force Transformation Initiative Working Group. I have been knee deep in it now since it got rolled out and wanted to share some of the insights I have had as I worked with systems to get them authorized under the RMF. Start Early Implementing will take longer than you think. Regardless of if you already have documentation from the DIACAP days or you have to generate from scratch, expect it to take a while to get done. The RMF looks at just about all IT related policies and procedures. Proper Categorization This one I cannot stress enough. Improper categorization can cause no end to grief as you either struggle to implement controls based on the baseline or tailor controls to meet the security requirements for your system. I had a system that the owner insisted be categorized as High for Integrity. This not only added many controls, it added controls that could not be met without significant cost increase to the program due to the nature of the hardware it was working with. Tailor Tailoring is your friend and gives you the opportunity to really address the uniqueness of your system. The old mindset was to just call a control Not Applicable (NA) if it wasn’t needed. With tailoring, that is no longer needed. You can “remove” controls so long as you properly document the rational for removing the control. This is also a chance to add controls to address concerns because of the nature of your system. Again, just document the rational for adding the control. Regardless of what you add or remove, the approval authority needs to sign off on the control set. Assessment Have everyone available for the assessment that you need. That means having sysadmins and network admins available as well as the system owner. The assessment team is going to want to talk to them and in some cases observe how they do their job. Authorization It has been my experience that the same folks that assessed and made decisions under DIACAP are still making decisions under the RMF. That means that while you may not think a particular finding or findings are the end of the world, the assessment team and the authorizing official may. Be prepared for that check the box mindset. Take the time between the assessment and the authorization to start knocking items off your POA&M so that when the AO comes back and says you need to do x to get the authorization, you are ahead of the game.
No matter what, don’t stress the RMF. It is, first and foremost, a framework for assessing and managing risk to your system. It serves to help you identify your risks and make the appropriate decisions on how to address those risks whether by transfer, mitigation, or acceptance.
Links SP 800-37 Rev. 1 Final SP 800-37 Rev. 2 Draft