Dear Dr. RMF,
Government IT Security staff work with systems owners to make sure that all systems in the agency have implemented the proper Risk Management Framework (RMF) controls. Organizations have deployed technologies like eMASS, XACTA, and RSA to manage the workflow and documentation for the RMF for their systems. Yet, there is confusion about how to implement RMF when the systems move to the cloud. Should government organizations contractually mandate audits? Should the IT Security Department request the RMF packages from the cloud vendor for review? Should the vendor be required to update the RMF compliance software tools and be treated like all other systems that are part of the RMF process?
In an RMF Dilemma
Dear Dilemma,
First of all, Dr. RMF wants to reassure you that you are not alone. Numerous organizations are being “encouraged” (or “compelled”) by their management to start moving systems and applications to the cloud. Most are feeling uneasy about the information security implications of the move. High on the list of their concerns is, of course, RMF.
A healthy dose of concern is a good thing, but there is no reason to panic. The truth is a government-owned system hosted by a commercial Cloud Service Provider (CSP) is not that much different than a system hosted in a government data center. Think about it. Commercial CSPs use virtualization technology to provision resources (e.g., servers) for their hosted customers. Modern government data centers are doing the same. Government data centers provide numerous RMF controls for inheritance by hosted systems. Ditto for commercial CSPs. Just like you would for a hosting data center, you’ll need to ask a potential CSP for a list of the controls they are authorized to offer as inherited or shared. Government data centers have Authorization to Operate (ATO) in accordance with RMF, which provides assurance to hosted customers that they are being configured and operated in a secure fashion. CSPs are subject to a very similar process, variously called FedRAMP in the civil agency sector and DISA Provisional Authorization in the DoD world. Again, you’ll need to ask potential CSPs for a copy of their FedRAMP or DISA ATO.
Government agencies are implementing solutions to facilitate the “interface” between government networks and the cloud. For example, DoD offers a Cloud Access Point (CAP) to control and monitor network traffic between government and cloud.
Also, DoD Cyber Security Service Providers (CSSPs), also known as Computer Network Defense Service Providers (CNDSPs), are available to systems hosted in the cloud.
Any tools you are using to support your RMF efforts in your current environment should be applicable to the cloud environment as well. CSPs are making efforts to facilitate the use of tools, e.g., by “publishing” their suite of inheritable/sharable controls in DoD eMASS.
You will undoubtedly face numerous challenges in migrating your systems to the cloud environment, but Dr. RMF is confident the RMF challenge will be a manageable one.
Dear Dr. RMF,
First of all, just stumbled across this blog few days ago….awesome! There are piles of documentation but not enough community sourced help for the RMF process. I tried starting an RMF sub-reddit but it never took off!
I have so many questions! But one in particular that is hard to get answers: what are the pros and cons of providing inheritance?
I support a system that will automate access control processes for a number of other systems, which will interface with us through API. We handle the 2875 process, spit them a set of outputs, and their system provisions an account based on what we send. There is a number of other recertification features designed to remediate audit findings, but don’t need to get into the details.
The goal is for us to provide a handful of AC controls to inherit to these connected systems. What types of considerations and risks should we keep in mind when deciding what controls to provide for inheritance?
Thank you so much!
Inheritance-r-Us
Dear Inheritance-r-Us,
In spite of the fact that your sub-reddit effort was not successful, Dr. RMF commends you for trying to increase the level of communication within the RMF community.
Offering up controls for inheritance is clearly an advantage to the connected systems that interface to you. Inheritance allows them to leverage your compliance and avoid having to deploy their own technical solutions or develop their own documentation in those specific areas.
The challenge is to select controls for which you are able to provide 100% of the implementation. With the obvious exception of physical and environmental controls, there are probably only a few controls that your connected systems can fully implement solely by leveraging your implementation. For many other controls, it is far more likely that your connected systems’ implementation would be a combination of your efforts and theirs. Dr. RMF recommends you consider offering them up as hybrid inherited controls.
The biggest issue that can arise from security control inheritance is that receiving systems tend to “blindly” accept everything a common control provider offers. What they should be doing is carefully reviewing each control that is offered up as inheritable and selecting for inheritance only those that they can truly comply with by virtue of the provider’s implementation.
