Beginning August 2016, all new Information System (IS) accreditations required Defense Security Service (DSS) Industry sites to adhere to the Risk Management Framework (RMF) Assessment and Authorization (A&A) process provided in the DSS Assessment and Authorization Process Manual (DAAPM) to achieve Authorization to Operate (ATO) status.
This new framework encompasses a six-step process that begins with risk categorization and ends with continuously monitoring security controls to measure effectiveness. This new accreditation process provides a complex challenge to Industry through new approaches to system categorization, assessment, and continuous monitoring.
Listen to our Sr. Compliance Expert Michelle Maitland, CISSP discuss the new Risk Management Framework on the CyberWire.
The Risk Management Framework process focuses on documentation of risk mitigation rather than the specific technical implementation requirements that were previous provided by the ODAA Baseline. Facility Security Officers (FSOs) and Information System Security Managers (ISSMs) will need to individually assess each requirement (or security control), provide an implementation recommendation for that requirement, and a detailed explanation of how the particular control’s implementation meets each control requirement.
It’s an intensive process that’s new to many Industry security personnel, so it may come with a high bar to clear for those new to this process.
SecureStrux Risk Management Framework
As a trusted partner with Risk Management Framework expertise in the Industry, SecureStrux can reduce the complexities of implementing this new framework while reducing the strain on budget and resources. Our hands-on approach throughout the Risk Management Framework process lifecycle provides FSOs and ISSMs with the information they need to interpret the controls and implement the requirements based on the size and scope of their information system, large or small. DOD Risk Management Framework may seem like a daunting transition, but SecureStrux is here to help.
Hands-on Assistance for All Steps
We can assist throughout the lifecycle process whether you are just beginning or if you are already in progress.
Delivering More Value
SecureStrux goes beyond basic help at each Risk Management Framework step to deliver the technical and administrative service you need to excel. We not only provide the essential technical implementation skills necessary to implement the controls based on your environment, but our proven documentation templates, process implementation checklists, and continuous monitoring tools provide the head start you need to complete each Risk Management Framework step quickly and efficiently.
Samples of our value-added services include:
- Creating personnel policies that adhere to Risk Management Framework requirements and performing gap detection to identify and solve holes in existing controls.
- Secure configuration support based on DSS guidelines to meet standards, set benchmarks and configure system settings to meet Risk Management Framework requirements.
- Creating a robust media protection policy, limiting the risk of Insider Threat concerns as well as improving adherence to Risk Management Framework requirements.
- Continuous monitoring tool implementation and hands-on training to proficiently utilize the tool to its fullest extent while maximizing process efficiency.
SecureStrux offers these and many more services to help your organization achieve compliance and maintain a secure environment.
“ JSP CCRI Team, You all have been a beacon of security awareness throughout your time supporting all the various Pentagon Headquarter organizations. Our security posture has significantly improved due to all your efforts. You have raised awareness, provided technical assistance, and been a driving force for improved security throughout JSP and all supported organizations. ”
“ I would like to thank the network review team [member], Mr. Gaines...for the excellent review work they completed for the 2RCC CCRI, 07-19 AUG 16. Between the three of them, they were able to review nearly 16 sites worth of network devices, including internal, and external devices. Thank you for your hard work and dedication in successfully completing all review requests. ”
DRSI Team Lead
“ We got an Excellent on our CCRI and a Superior on our DSS SVA! Thanks to Michelle and the other SecureStrux team members. We wouldn't have been successful without them. ”