Risk Management Framework (RMF) Assessment & Authorization (A&A)
Effective October 2016 all new Department of Defense (DoD) programs are required to be accredited under the Risk Management Framework (RMF) Assessment and Authorization (A&A) process. All existing DoD programs that fall under the Defense Information Assurance Certification and Accreditation Process (DIACAP) Certification and Accreditation (C&A) process are required to begin, if they haven’t already, the transition to RMF.
With the DIACAP C&A process, agencies would go through the process to achieve an Interim Authorization to Test (IATT), Interim Authorization to Operate (IATO), and ultimately an ATO. We helped many companies achieve their IATTs, IATOs, and ATOs. With the RMF A&A process, IATTs and IATOs are no longer applicable. Now, we help companies achieve an ATO with conditions, and ultimately an ATO. If your organization is struggling with getting through the process of obtaining an ATO or just needs direction on how to get started, SecureStrux can help. We are intimately familiar with both DIACAP C&A and RMF A&A processes and procedures and the associated laws, regulations, and instructions that mandate a formal process for compliance is implemented and followed.
This transition can be complicated and often takes months to complete. We have assisted companies and Federal agencies through this complex process and we can work through any applicable framework to ensure the C&A / A&A process and procedures are thoroughly completed efficiently and on-time.
SecureStrux supports a range of C&A / A&A needs such as:
- Articulating and designating security controls in a System Security Plan(SSP) for a given Major Application(MA) or General Support System (GSS)
- Defining system boundaries
- Drafting Interconnection Agreements
- Establishing security categorizations according to FIPS PUB 199
- Assessing the effectiveness of the security controls in place with a Security Test and Evaluation (ST&E) and Security Assessment Report (SAR)
- Managing and remediating weaknesses uncovered as a result o fan assessment through continuous monitoring and creating Plan of Action andMilestones (POA&Ms) when required
- Drafting documents as necessary for the Certification Authority (CA), now Security Control Assessor (SCA) and the Designated Approval Authority (DAA), now Authorization Official (AO)
- Using an established and standardized method to assess security controls for both DoD and Federal information systems
Complimentary A&A services such as:
- General Consulting: Provide periodic on-site consultant for any portion of the project or complete support of the RMF A&A process, from start of the process until you receive accreditation. Our consultants can help guide your team through the documentation and complex framework of the RMF methodology.
- Control Assessments: Review organizational documentation against system and control implementation. Provide expert guidance as to how to fix or mitigate identified openings on the basis of each control’s current implementation.
- Document Preparation: RMF requires a great deal of documentation, including System Security Plans (SSPs), Security Policies and Procedures, Continuity Plans, Incident Response, etc. Our team can specifically tailor these documents to your organization and security program.
- System Hardening: RMF A&A requires systems and networks to be secured or “hardened.” Most systems, devices, and appliances arrive from the factory in an unsecured default state. Our Cybersecurity Analysts have worked with a wide range of coding challenges, proprietary applications, databases and complex network infrastructures. We can provide the expertise that will enable you to receive an ATO, bring your organization into compliance, reduce your exposure to risk, and keep your data secure.
- Complete Package: We can support your entire RMF lifecycle process. Our complete package includes all of the above services. Let us help you meet your organizations RMF A&A requirements, so you can focus on your mission and what you do best.