My Experience with the DoD Version of the RMF

Anyone out there dealing with the DoD implementation of the NIST 800-37 RMF? Just in case, it’s the “Guide for Applying the Risk Management Framework to Federal Information Systems” developed by the Joint Task Force Transformation Initiative Working Group. I have been knee deep in it now since it got rolled out and wanted to share some of the insights I have had as I worked with systems to get them authorized under the RMF.

1. Start Early – Implementing will take longer than you think. Regardless of if you already have documentation from the DIACAP days or you have to generate from scratch, expect it to take a while to get done. The RMF looks at just about all IT related policies and procedures.
2. Proper Categorization – This one I cannot stress enough. Improper categorization can cause no end to grief as you either struggle to implement controls based on the baseline or tailor controls to meet the security requirements for your system. I had a system that the owner insisted be categorized as High for Integrity. This not only added many controls, it added controls that could not be met without significant cost increase to the program due to the nature of the hardware it was working with.
3. Tailor – Tailoring is your friend and gives you the opportunity to really address the uniqueness of your system. The old mindset was to just call a control Not Applicable (NA) if it wasn’t needed. With tailoring, that is no longer needed. You can “remove” controls so long as you properly document the rational for removing the control. This is also a chance to add controls to address concerns because of the nature of your system. Again, just document the rational for adding the control. Regardless of what you add or (Read more...)