RMF: Addressing Security Controls and Assessment Procedures

In Practical terms, what is an RMF package?

Risk Management Framework (RMF) professionals working in cyber security are often tasked with answering security controls within a DoD web portal called Enterprise Mission Assurance Support Service (eMASS). The web portal called eMASS is where RMF packages that discuss networks and systems are stored. Every network or program within the DoD has an eMASS package to assess it from a cyber security perspective. RMF packages have several questions about cyber security that cyber security professionals must address and provide proof in the form of artifacts demonstrating the answer provided to the question is, in fact, true. The questions being asked are called security controls, and every security control has a set of subquestions called an assessment procedure.

Working from the bottom up

A security control is answered by answering all of the assessment procedures, and when all the security controls are answered, the package is completed.  

An assessment procedure can be responded to with a response of "compliant," "non-compliant," or "not applicable." when an assessment procedure is answered compliant, the cyber security professional provides a written response to the question called a test result.

How to answer an assessment procedure with a test result

Test results should reference specific details about how the conclusion was reached, what artifact was used to reach a conclusion and wherein the artifact (such as the page number or section number of a document) the justification can be found. Providing details lets others who view the response later understand how a conclusion was reached. An artifact is a document or other evidence demonstrating the test result response is true. Artifacts can be Policy documents, Standard Operating Procedure (SOP) documents, screenshots, scan results, log files, a report, configuration files, or even emails saved as PDF files. Artifacts are uploaded to the assessment procedure, and the two are linked together for reference.

The "Known, Documented, Implemented, and Implemented" methodology

helps cyber security professionals answer RMF assessment procedures.

​

Finding cyber security issues 

By answering all the assessment procedures within a security control, the security control is answered. If even one of the assessment procedure questions is non-compliant within a security control, then the security control itself is also non-compliant. When an assessment procedure or security control is found non-compliant, the question is asked, "can the issue be resolved or not?" there are many situations where a security vulnerability can not be followed to the "T" because reality conflicts with regulations. as an example if there is a regulation that a door be locked in a building. That door be a secure vault door with a specific security rating. You cant follow the regulation if you are working out of a tent. The reality is that tents don't have big security doors made to withstand bullets and bombs. Another example of reality conflicting with regulation could be a required configuration on a server by a Security Technical Implementation Guide (STIG) that breaks the server.

Configuration requirements often cause unforeseen issues with servers and other systems that render the server or system nonfunctional. In situations like this, cyber security professionals are asked how systems can be secure and perform the functions needed by an organization. When assessment procedures are found non-compliant due to these issues, a Plan of Action and Milestone (POA&M) is created if the issue can or should be resolved, and an Authorizing Official Risk Acceptance (AORA) if the issue cannot or should not be resolved. 

A POA&M is a "plan to fix the problem" with specific milestones and goals to meet until the eventual problem is resolved. as an example, if there is a door that should have a lock on it but lacks a lock, a POA&M can be created to place a lock on the door and the milestone steps until the door can be properly locked might include, 

1. Placing a guard in front of the door to mitigate the imidate risk.

2. Ordering a lock

3. Scheduling for a locksmith to install the lock

4. Having the lock installed and supervising the installation

5. certifying that the lock was installed correctly

This example references a physical door; however, POA&Ms could apply to anything from an updated policy document or a server patched. POA&Ms are a way to fix problems in a way that tracks the process and keeps everyone involved accountable.

An AORA is used when fixing the problem isn't possible or it would be unwise to do so. Instead, the Authorizing Official (AO), who is the person that ultimately holds the risk associated with any system or RMF package, is asked if they would like to accept the risk or not. If a risk is not accepted, a system or service may need to be shut down. In the previous POA&M example about a door lock, the entire facility may no longer be usable if a facility cannot be secured. And AORA is often used if conforming to a regulation would break a server or system. An AORA can be used when the cost of following the regulation would be nonsensical. For example, if a door requires a lock to secure $10 worth of equipment, but it would cost $10,000 to install the right door, an AORA may be used to accept the risk of potentially losing the $10 of equipment. An AORA often accompanies mitigations to reduce risk. For example, just because you cannot lock a door does not mean you cannot place a sign on the door that says "only authorized personnel allowed," or a sign-in roster could be placed on the door with a policy that requires individuals to sign in and out of the location to reduce the risk to the $10 equipment. This example refers to a physical environment; however, AORA is often used for technical system configuration changes. For example, suppose you have a configuration change that is required, but that configuration change would also break the organization's enterprise network. In that case, an AORA can be implemented, and mitigations to reduce the likelihood of being exploited can be implemented, such as installing a firewall before that system to reduce access to the vulnerable system the AORA was used for.  

Processing the RMF package after answering all controls.

Once an RMF package has had all of its security controls addressed, it is forwarded in a workflow to be reviewed by Security control assessors (SCA) and other validators who verify the answers provided to the questions were, in fact, true. Finally, the AO receives the page and makes a determination on the package called a security authorization decision. The AO can issue any of the following:

1. Authorized to operate (ATO)

2. Authorized to operate (ATO) with conditions

3. Authorized to test (IATT)

4. Denied Authorization to operate (DATO)

An ATO or ATO with conditions can be issued for 1 year, 2 years, or 3 years. An ATOs with conditions should specify an AO review period within 6 months of the authorization date and describe any specific limitations or restrictions placed on the operation of the information system or inherited controls that the system owner must follow.

​

If you are an ISSO and your organization receives a 3-year ATO, that is good. However, if your organization receives a 1 year ATO with conditions that is bad. And if your organization receives a DATO unexpectedly, that is very, very bad because your network or system will be immediately disconnected. 

Every Cyber security professional working in RMF has the same basic goal of answering assessment procedures, and security controls, making POA&M or AORA documents, and gathering artifacts from other system administrators, Network engineers, and other personnel involved with a system or network. If reviewing an RMF package sounds like playing a big game of 20 questions while verifying the answers received, it's because that analogy is accurate. RMF professionals must have the detective skills to tell when a server admin is lying to hide a security vulnerability and the technical skills to find the vulnerability themselves if needed. The social skills to explain technical issues to nontechnical management individuals to guide the organization toward a stronger cyber security posture without everyone in the room panicking with fear or impacting their business and mission goals. RMF can be a fun and rewarding career path filled with challenges and opportunities for those seeking to work with professionals from every walk of life and those seeking to take the next step in their cybersecurity career.