By Annette Leonard
The importance of the Authorizing Official (AO) in the RMF process is self evident. As the individual charged with signing your Authorization to Operate (ATO), the AO is obviously a key player. Ideally, the AO’s role is not limited to that final signature—he/she should be an active participant in the process from the very beginning.
Since most AOs are senior level officials, they often employ AO Designated Representatives (AODRs) to work directly with the system owners.
This edition of the RMF Top Ten focuses on some questions you might want to ask your AO or AODR.
10. Are you available to participate in our periodic RMF status meetings?
It’s great to have AO representation at your meetings so the AO can be kept abreast of your progress and questions can be addressed promptly.
9. Do you need a copy of our RMF project schedule?
Most AOs and AODRs like to stay in touch with their system owners to make sure they are progressing in their RMF efforts. A copy of your project schedule (and periodic updates as necessary) will help them to stay up-to-date.
8. Are there any documentation artifacts you particularly want to see?
If you are using eMASS, the AO/AODR should have access to your eMASS record and therefore have visibility into all your documentation artifacts. However, there may be one or two that he/she is particularly interested in. If you know that as a system owner, you can take actions (e.g., sending an offline copy of the particular artifact) that can ingratiate you with the AO.
7. What are your expectations for our Continuous Monitoring program?
Other than the “standard” DoD monitoring tools (HBSS, ACAS), the AO may have a particular desire to see other forms of monitoring or periodic review.
6. How do we go about arranging for independent assessment?
Each DoD Component (Army, Navy, Air Force, Marine Corps, etc.) is responsible for developing its own methodology and “style” of independent assessment. The AO/AODR should be able to point you to any online resources or potentially even “recommend” an assessor team.
5. Do you need a brief when we have completed our System Categorization?
Some AOs insist on a formal brief of the categorization process and results. Others will agree to look at your documentation and nothing more. Still others will brush it off with “well, if that’s what you think your system categorization is, then that’s what it is.”
4. Do you need a brief when we have completed our security control baseline?
Again, some AOs will want to see a formal presentation of overlays, tailoring, etc. Others are content the system owner is best qualified to make these decisions.
3. Do you need a brief when we have completed our independent assessment?
It’s rare, but some AOs like to get preliminary feedback on assessments as they take place rather than waiting for an “official” Security Assessment Report.
2. Do you need a brief when the authorization package comes to you from the SCA?
Many AOs will rely on the SCA recommendation, but others will insist on a formal “decision brief” from the System Owner, highlighting the residual risks and POA&M items, prior to signing the ATO.
1. Is there anything else you need us to do to be successful?
It sounds trite to say, but AOs are human beings too. Each of them may have particular things they want to see happen—or don’t want to see happen—during the RMF process. It’s best to find out about any such “quirks” sooner rather than later.
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here.
Here is a link to a great book on RMF that we highly recommend.
A ton of other information can be found on the NIST web site.
