With fewer resources, tighter budgets, and requirements accumulating, it is imperative that organizations use available experience and tools to effectively implement the Risk Management Framework (RMF) and understand how it fits into the bigger organizational picture. In my experience helping IC organizations navigate the RMF transition, I’ve learned that the key elements to establishing an effective transition and overcoming the inherit challenges are to:
- Take advantage of those who have gone before you and adopt lessons learned by transitioned organizations. Through the initial adoption of the RMF into the IC it became clear that the current version of the 800-53 controls catalog needed a rewrite. NIST and the taskforce went back to work and the control text was broken down into a more granular set of controls that would enable entities to full meet the intent of the control at the appropriate tier.
- Ensure the stakeholders have a well thought-out and standardized community Body of Evidence (BoE) which closely matches that of the community at large and is well coordinated and communicated with stakeholders. The close coupling of the intent and content of the BoE will enable you to leverage reciprocity from other organizations using the RMF, and for others to trust the BoE you provide them in return.
- Consider adapting the organization and processes to align to NIST 800-37 workflow, objectives, and tasks. As the RMF is intended to integrate information security into the enterprise architecture and system development life cycle it can provide a model for a well-controlled plan on how to manage change in the operating environment.
- Prioritize purchasing plans on automated tools in order to take advantage of the inheritance model, reciprocity, and multiple tiered Assessment and Authorization strategy. The amount of information and connected nature of inheriting not only the text of another system but the status of the control makes it imperative that you don’t rely on old methods, but rather, take advantage of the tools available to efficiently manage the data and state of the controls.
Since it was established in 2009, the RMF’s vision to produce a unified information security framework has evolved and still faces challenges as it expands into the DoD. As your organization makes the RMF transition, don’t get stuck in a “copy and paste” exercise from DCID 6/3 or DIACAP, but take advantage of the lessons learned by those organizations who have experienced the growing pains.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.