The Risk Management Framework (RMF) is often thought of as “bad words” when it comes to accomplishing information technology projects in a reasonable amount of time. The period from initial concept to deployment leaves many IT projects years within the RMF process as a project transitions at a slow crawl through collaboration, re-work and finally approval by the Authorizing Official (AO).
However, RMF Assessment and Authorizations (A&A) do not have to take that long. Naval Special Warfare Command, which operationally falls under the United States Special Operations Command (USSOCOM), follows the USSOCOM RMF Practitioner’s Guide, Version 3. This document is similar to the Navy’s RMF Practitioner’s Guide, but USSOCOM has adopted two methods for decreasing the amount of time an IT project takes for approval.
First, A&A teams are involved very early in IT project development to ensure project managers (PM) are aware of the tasks that need to occur to speed up an AO decision and IT project approval. Second, is the adoption and use of Common Control Packages (CCP).
The CCP is based on Common Control Containers, which are defined as a location or group, that maintains or manages the control family and updates individual Security Controls in the container when changes to the processes or procedures affect the control. Using CCPs can result in a significant savings in time and cost during the A&A process. IT projects that inherit Security Controls through a CCP do not need to explicitly answer those Security Controls since the security capability is inherited and being provided by another entity.
USSOCOM has implemented a five-tiered CCP structure, shown in Figure 1, Common Control Package (CCP) Tier Structure. Tier 1 is the Policy tier that incorporates Defense Department, Committee on National Security Systems (CNSS), National Institute for Standards and Technology (NIST), USSOCOM, and other higher-level policies that affect each system within USSOCOM.
Tier 2 is the Network Agnostic tier to group processes that are agnostic of USSOCOM network enclaves. An example of an item included in the Tier 2 CCP are an Incident Response and Continuity of Operations Plan (COOP).
Tier 3 is the Network Specific tier that documents the Security Controls that are specific to each enclave, for example, NIPRNet, SIPRNet, etc. This CCP contains the bulk of the Security Control responses.
Tier 4 is the Component tier. This tier documents the Security Control responses that are specific to each Component within USSOCOM. The final tier, Tier 5, is the Site tier. This CCP documents the Security Controls that are specific to each site. Examples of Security Controls that can be included in this CCP are the Physical and Environmental Security Controls.
Efficiencies are gained in both preparing the A&A packages and continuously monitoring the Security Controls by choosing to inherit common controls from any of the CCPs. However, inheritance is not mandatory; a site can choose to inherit none, some, or all of the Security Controls.
As an example, an IT project with a Moderate Confidentiality Level, a Moderate Integrity Level, and a Moderate Availability Level has a total of 1,724 Security Control assessment procedures in eMASS — Enterprise Mission Assurance Support Service. If all of the CCPs are applied, the number of Security Control Enhancements the A&A Team would have to provide responses for drops from 1,724 to approximately 98 Security Control Assessment procedures. Only having to answer 98 Security Control Assessment procedures takes significantly less time than having to answer over 1,700 Security Control Assessments.
In some cases, all of the CCPs cannot be applied. However, even applying a few CCPs reduces the total number of Security Control Assessment procedures the A&A Team needs to answer.
Working with the PM at the beginning of the A&A effort and establishing CCPs will take some time and effort by your A&A Teams. The savings in time and effort to complete A&A packages make the preparation work well worth the investment.