Publications Details
Selecting RMF Controls for National Security Systems
In 2014, the United States Department of Defense started transitioning the way it performs risk management and accreditation of information systems to a process entitled Risk Management Framework for DoD Information Technology or RMF for DoD IT. There are many more security and privacy controls (and control enhancements) from which to select in RMF, than there were in the previous Information Assurance process. This report is an attempt to clarify the way security controls and enhancements are selected. After a brief overview and comparison of RMF for DoD IT with the previously used process, this report looks at the determination of systems as National Security Systems (NSS). Once deemed to be an NSS, this report addresses the categorization of the information system with respect to impact levels of the various security objectives and the selection of an initial baseline of controls. Next, the report describes tailoring the controls through the use of overlays and scoping considerations. Finally, the report discusses organization-defined values for tuning the security controls to the needs of the information system.