Key RMF Requirements to Obtain and then Maintain an
Authority to Operate for a Federal Automated Information System
Document Policies & Procedures
A key requirement in the process of obtaining an Authority to Operate (ATO) is to document the IT system’s policies and procedures. When documenting the policies and procedures they must be developed with an eye towards becoming the “security plan” of the IT system, not a group of documents to put on the shelf for the next three years after the ATO is obtained. Also, SCA-V assessors normally require the IT system owner to sign each policy/procedure document.
When developing a documentation package, some documents allow creativity in their design and others are very rigid. Documents that normally have a very structured format are:
The development of the policies and procedures provides the IT system team options in developing the documentation. There are two common ways of documenting the policies and procedures:
Family Style – This is the documentation of each family one at a time. This can take the form of one policy and one procedure document for each of the 18 families (2 x 18 = 36) or one document per family where the policies and procedures are combined (1 x 18 = 18).
If privacy controls are applied then 8 more families are added. Depending on the structure this could add anther 16 documents (2 x 8 = 16) or 8 (1 x 8 = 8).
Under the family methodology, the document count ranges from a low of 18 (one document combining policies and procedures and no privacy controls apply) to a high of 52 documents (one policies and one procedure document for the 18 security families plus one document for the 8 privacy families – (18 x 2 ) + (8 x 2)).
Traditional Format – This is where policies and procedures are combined into a single document and each document has a topical focus. This results in approximately 8 documents. This model is typically much more user-friendly.
See table below describing the two document styles.
Key elements of performing a self-assessment include:
–A standard RMF requirement in most agencies is the conducting of a self-assessment of non-common controls and then enter those controls into a management system (i.e., eMASS for the DoD).
–Each security control, or an associated Control Correlation Identifiers (CCIs) for the DoD, must be addressed as part of the comprehensive self-assessment.
–Each control is assessed to be Compliant (C), Non-Compliant (NC), Inherited (I), or Not-Applicable (N/A).
–Technical: Automated and manual testing is conducted on hosts and devices using agency automated methodologies, manual data collection, and subsequent data analysis. Ensure preparedness to provide complete (100%) authenticated scans of the full IP range, utilize checklists (i.e., DoD STIG) for all technologies in use, network diagrams, and associated narrative IAW DISA’s DISN CAP.
–Non-Technical: Data collection, test scenarios, personnel interviews (Administrators, Operators, Security Personnel, etc.), physical inspection, observation, and documentation reviews may commence prior to the validation team’s arrival and will extend through the duration of the on-site visit.
To be found compliant, each security control must be:
–Known: Personnel are aware of the requirement and internal processes to meet that requirement.
–Documented: Information and processes are recorded, kept up-to-date, and are readily available to allow for consistent application.
–Implemented: Validation confirms the known and documented process are the same and consistently applied across the environment.
–Each control requires evidence of compliance in the form of an artifact/document.
–When entering test results for each CCI, ensure the artifact is referenced by name, the required narrative is included, and the appropriate page number and/or section number is referenced (if applicable), for validation within eMASS.
Undergo External Audit
The Security Control Assessor - Validator (SCA-V) is responsible for conducting comprehensive assessments of the management, operational, and technical security controls employed within or inherited by an information system (IS) to determine the overall effectiveness of the controls and the severity of weaknesses or deficiencies.
Typical audit schedule:
To be in full compliance, a security control must be Known, Documented, AND Implemented:
- Staff is aware of the requirement and the internal process to meet that requirement.
- Critical information and processes are recorded, kept up-to-date, and readily available allowing for consistent application.
- Validation indicates the known and documented processes are one and the same and they are consistently applied throughout the system/environment.
Assessment methods include:
Automated and manual testing will be conducted on a sampling of hosts and devices using automated tools, manual STIG review, and subsequent data analysis.
Non - Technical
– Involves test scenarios, interviews of personnel (leadership, engineering, administrators, operators, etc.), walkthroughs, observation, and documentation reviews (majority performed prior to site visit).
Compliance status is determined to be one of the following:
– CCIs for which the expected results for all associated validation procedures have been achieved.
– CCIs for which one or more of the expected results for all associated validation procedures are not achieved. Not achieving expected results for all validation procedures does not necessarily equate to unacceptable risk.
Not Applicable (NA)
– CCIs that do not impact the security posture of the IS as determined by the AO.
Non-compliant controls are assessed to be one of the following IAW NIST SP 800-30:
The vulnerability is exposed and exploitable, and its exploitation could result in severe impacts. Relevant security control or other remediation is not implemented and not planned, or no security measure can be identified to remediate the vulnerability.
The vulnerability is of high concern, based on the exposure of the vulnerability and ease of exploitation and/or on the severity of impacts that could result from its exploitation. Relevant security control or other remediation is planned but not implemented; compensating controls are in place and at least minimally effective.
The vulnerability is of moderate concern, based on the exposure of the vulnerability and ease of exploitation and/or on the severity of impacts that could result from its exploitation. Relevant security control or other remediation is partially implemented and somewhat effective.
The vulnerability is of minor concern, but the effectiveness of remediation could be improved. Relevant security control or other remediation is fully implemented and somewhat effective.
The vulnerability is not of concern. Relevant security control or other remediation is fully implemented, assessed, and effective.
Be ready, there is just
Conduct Continuous Monitoring
Automated scanning is a critical enabler helping to reduce costs, increase efficiency, and improve the reliability of Continuous Monitoring efforts.
NIST SP 800-137 defines continuous monitoring as ongoing awareness of information security, vulnerabilities, and threats to facilitate risk-based decision making.
Continuous Monitoring (CM) in a Risk Management Framework consists of continuous assessments, reporting, and authorization of information systems to monitor security risks.
- CM involves ongoing assessment & analysis of the effectiveness of all security controls.
- Ongoing reporting on the security posture keeps the assessing official informed.
- CM supports risk management decisions to help maintain organizational risk tolerance at acceptable levels.
- CM should integrate SDLC, Risk Profiling, manual & automated Assessments, and Governance.