Risk Management Framework Assessment & Authorization
The Department of Defense continues to improve and evolve the Risk Management Framework (NIST 800-53) process to increase the protection and security of the assets within the DoD and the Defense Industrial Base. When acquiring an Authority to Operate (ATO), three main types of ATO’s can be applied for and received. An Enclave (SIPRNet, NIPRNet, eWAN), System (MUSA/SUSA/P2P), or Application (Software/Hardware) ATO.
The process for acquiring your ATO involves six steps:
- Categorize the system – this happens in conjunction with the governing body or agency, who is issuing the ATO (DCSA or DISA)
- Select Controls – Base on the categorization of the system by the government agency, there are specific sets of controls that will be selected.
- Implement Controls – including defining system boundaries, drafting interconnection agreements, register system in the system (eMASS, Xacta, other), Articulate and designate security controls in a System Security Plan (SSP) for an enclave – (SIPRNet, NIPRNet, eWAN, LAN), systems (SUSA/MUSA/Peer2Peer), and applications.
- Assess Controls – Assess the effectiveness of the security controls in place with a Security Test and Evaluation (ST&E) and Security Assessment Report (SAR). Prepare documents and artifacts and upload them to eMASS. Manage and remediate weaknesses uncovered as a result of an assessment through continuous monitoring and creating a Plan of Action and Milestones (POA&Ms) as required — using an established and standardized method to assess security controls for both DoD and Federal information systems. We will draft documents as necessary for the Security Control Assessor (SCA) and Authorization Official (AO).
- Authorize System – Support your team during the authorization process with updates and changes to documents, procedures, etc. as required by the AO during your review to receive your Authority to Operate.
- Monitor Controls – Ongoing work with your team to manage the weekly, monthly, quarterly, semi-annual, and annual monitoring as required by your system and ATO.
SecureStrux helps organizations through this challenging and frequently daunting process. Our Subject Matter Experts are well versed in multiple facets of the DoD Risk Management Framework (RMF) process from standing up new systems and engineering new solutions to assisting customers through the latest updates in the current DAAPM (Defense Assessment and Authorization Process Manual) guidelines and eMASS implementations for cleared and defense contractors.
Is your organization struggling with obtaining and maintaining an Authority to Operate (ATO)? Need direction on how to get started with a Security Assessment & Authorization?
SecureStrux can help. We are intimately familiar with the RMF A&A processes. We assist clients in working through the associated laws, regulations, and instructions that mandate a formal process for risk management, ensuring continuous monitoring is implemented and followed. Our expertise spans the Department of Defense, State governments, and the Federal government.
There are three primary ways that your organization can partner with SecureStrux to receive and maintain your ATO
Project – Complete RMF Package
A one-time project for compressed timelines to get your initial ATO or submit for an ATO renewal. We will support your team during the entire RMF lifecycle process.
Continuous Monitoring & Support
Continuous support to improve your security posture, implement POA&M items, and meet your continuous monitoring requirements
General Consulting or Gap Assessment – provide remote or onsite consultation for any portion of the RMF project.
Complete RMF A&A Package:
We can support your entire RMF lifecycle process. Our comprehensive package includes all of the above services. From the start of the process until you receive accreditation. Our consultants can help guide your team through the documentation and complex framework of the RMF methodology.
Complete Steps 1 and 2 of RMF Process (On-site)
- Complete the Information System (Tier 3) Risk Assessment Report (RAR).
- Determine overall security categorization of Information System using the completed RAR, associated government contract(s), and relevant mission/business information.
- Assist with finalizing Information System categorization and security control selection using the NISP eMASS Information System (IS) registration process.
- Tailor security controls, as needed, by supplementing, modifying, and tailoring controls to effectively manage risk for any unique system conditions and handling requirements
- Identify where each security control will be documented, based on existing policies and procedures
Develop Documentation (SecureStrux Facilities)
- Develop new, or update existing, documentation based on information collected during an initial onsite visit
- Submit documentation for client review, and update documentation based on client feedback
- Develop security control Implementation Plans and System Level Continuous Monitoring strategies.
- Work with client staff to develop and finalize eMASS Test Results required for package submission.
Complete Steps 3 and 4 of RMF Process (On-site)
- Use STIG Viewer to assess Operating Systems (OS) for technical security control implementation.
- Document security controls that cannot be implemented either temporarily or permanently, based on the assessment and implementation results within the Plan of Action and Milestones (POA&M)
- Identify all documentation required for complete package submission.
RMF Continuous Support:
A Cybersecurity Support Plan (CSP) to ensure you are maintaining your RMF, meeting your continuous monitoring requirements and implementing your POA&M.
Our all-inclusive Cybersecurity Support Plan will provide consistent and predictable cybersecurity support on a fixed budget. The CSP brings our entire breadth of capabilities to your team which enables you to approach your ATO maintenance and renewal from a holistic perspective. Whether you need a fresh perspective, custom training, or just some extra knowledge and hands, our service ensures you stay in a cyber ready status.
General RMF consulting, provide remote or onsite consultation for any portion of your RMF project.
- Control Assessments and gap analysis: Review organizational documentation against system and control implementation. Provide expert guidance as to how to fix or mitigate identified openings based on each control’s current implementation.
- Document Preparation: RMF requires a great deal of documentation, including System Security Plans (SSPs), Security Policies and Procedures, Continuity Plans, Incident Response, etc. Our team can specifically tailor these documents to your organization and security program.
- System Hardening: RMF A&A requires systems and networks to be secured or “hardened.” Most systems, devices, and appliances arrive from the factory in an unsecured default state. Our Cybersecurity Analysts have worked with a wide range of coding challenges, proprietary applications, databases, and complex network infrastructures. We can provide the expertise that will enable you to receive an ATO, bring your organization into compliance, reduce your exposure to risk, and keep your data secure.