Risk Management Framework (RMF) is designed to “provide a process that integrates security and risk management activities into the system development life cycle.” At a high level, RMF is supposed to provide the following to CIOs, Warfighters, System Owners and Developers:
- Efficient enterprise management of cyber assets
- Potential cost savings
- More rapid deployment of solutions
- More efficient and effective delivery of services
- Standardized cyber requirements and validation procedures
The above was a worthy goal that did not account for contractors who would support and execute the RMF transition. In truth, RMF has become a budget black hole and a schedule nightmare. Whenever a new process or standard is developed, the first goal most contractors have is identify how to financially benefit from the change. I-Assure does not subscribe to this method.
We were here for the DITSCAP to DIACAP transition and led the way by developing tools and artifacts, made freely available to the community, to lessen the financial and schedule burden to the Government. We are here today to do the same thing for the DIACAP to RMF transition. Once again, we are leading the transition by providing free tools and artifacts to lessen the RMF burden.
Our RMF services are built on two key tenants:
- Risk Management Framework (RMF) should support, not drive, the Mission
- Firm-Fixed-Price contracting protects the Government and forces the Contractor to deliver
Our philosophy has enabled us to deliver cost-effective and secure solutions for over twelve years.
RMF Problems & Solutions
Proven Experience
We do what we say. Over 425 ATOs received to date. Our RMF submissions have never been denied by the Approving Authority.
Advanced Multi-configuration Environment Simulator Tech Refresh Suite
Advanced Telemetry System – Classified
Advanced Telemetry System – Unclassified
AEGIS Support System
Air Force Medical Operations Agency
Air Traffic Control System
AMES Legacy Deployment Suite
Antisubmarine Weapon Control System
Applied Mechanics Lab
Assessment and Identification of Mine Susceptibility
ASW Support Network
Automated Budget Module
Base Level Item Tracking System
Budget Analysis Evaluation Reporting System
BUMED Manpower Information System
Calibration Lab Tracking System
Calibrations Automation and Readiness Reporting
Carderock Division Intranet
Carderock Division Unclassified Standalone Code 10
Carderock DMZ Core
Carderock Lenel Monitoring System
Carderock Public Address Network
CASREP Information System
Charade Red Testing System
Chemical, Biological, Radiological
Classified Asymmetric System
Classified Electromagnetic Mission Assurance Center
Classified LABNET Test Set Application
Classified Mission Assurance Decision Support System
Classified SEMCIP Technical Assistance Network
Coherent Data Collection System
Command Information Web Service
Command Multi-Media System
Confidential Shipboard Gridlock System
Conventional Ordnance Resource Program
Corona Classified RDT&E Network Infrastructure
Coupled Ocean/Atmosphere Mesoscale Prediction System On-Scene
Crane NMCI Classified Computing Infrastructure
Crane NMCI Computing Infrastructure
Crane Video Teleconferencing System
CVN Nimitz Class HM&E Network
DAC Wallops
DDG-51 Land Based Engineering Site
Dental Common Access System
Deployable Analysis & Data Reduction Systems
Directed Energy Test Lab
Distance Support Voice Over Internet Protocol
Distributed Engineering Plant
Distributed Tactical Communication System
Electromagnetic Trials
Electronic Attack System Engineering Lab
Electronic Badging and Access Control Systems Lab
Electronic Data Quality
Engineering and Calibration Component System
ESSM Logistics Information Management System
Expeditionary Electronic Warfare Systems Lab
Expeditionary Pack Up Kit
Gage Design & Certification
Gilligan Knowledge Base System
Global Deterrence and Defense Department Centrally Managed
GPS Ground Tracking System
Gun Weapon System
GWS MK 34
GWS MK 34 MOD 1
Homeland Defense Mission Assurane Portal
Hydrodynamic Analysis Network
Immunization Tracking System
Incentive Pay System
Information Management for Range Operations Center
Infrared & Electro-Optical Measurement
Integrated Warfare Systems Laboratory
IWSL RDT&E Tactical Support Enclave
Joint Department – Centrally Managed
Joint Effects Model
JXRS Training Lab
Lake Pend Oreille Weather System
Land Attack Systems Integration
Laser Weapons System
LCS Surface Warfare Mission Package
Legacy Systems Supportability Analysis Tools
Littoral Combat Ship Surface Warfare Mission Package
Littoral Combat Ship Surface Warfare RDT&E
LPD 17 ISEA/SSA
Magnetic Field Laboratory
MAGSIG
Maintenance Figure of Merit – Classified
Maintenance Figure of Merit – Unclassified
Maneuvering and Seakeeping Data Acquisition
Marine Air-Ground Task Force
Materials Division Lab
MCM-1 Class Integrated Ship Control System
Measurement Tracking Van
Medical Board Online Tri-Service Tracking
Medical Reserve Utilization Program
MET VAN Lab
Metrology and Calibration
MFOM-MRA Development Environment
Mission Assurance Division Unlassified Network
MK 41 Lab Test Suite
MK 41 Tactical Maintenance Suite
MK 41 Vertical Launching System (VLS) Component Configuration Tool
MK 41 Vertical Launching System (VLS) Data Web System
MK 41 Vertical Launching System (VLS) Software Development Network
MK 53 Decoy Launch System Research, Development, Test and Evaluation Lab \
MK116-MOD7-ASWCS
MK53 DECOY LAUNCH SYS SFTWR DEV STE
Mobile Radio Frequency Engineering & Evaluation Network
Modeling & Simulation Applications for Radiation Sciences Cluster
Motion Measurement System
MSS Department
NATO Seasparrow Performance Assessment Network
NAVSEA WebXtender/ApplictionXtender
Navy Medicine Online
Navy Reserve Data Warehouse
Navy Reserve Readiness Module
Navy Reserve Web Site-Decision Support System
Network Connected Centrally Managed – Classified
Network Connected Centrally Managed – Code 10
Network Connected Centrally Managed – Code 60
Network Connected Centrally Managed – Code 70
Network Connected Centrally Managed – Code 80
Network Connected Centrally Managed – Code 80
Night Vision Electro Optics
NSWC Corona DDG 1000 DREN
NSWC Crane Air Gap Workstations
NSWC Crane Classified PIT
NSWC Crane Classified Research, Development, Test and Engineering Infrastructure
NSWC Crane Intranet Website
NSWC Crane RDT&E Network – DMZ
NSWC Crane SharePoint – Classified
NSWC Crane Unclassified PIT – Industrial Equipment
NSWCDD Classified RDT&E Enclave
NSWCDD SDREN Network
NSWCDD Unclassified RDT&E Enclave
NULKA Telemetry Receiving Equipment
Online Computer Information Exchange
Ordnance Test & Evaluation PIT – Test Equipment
PDM – Classified
Philadelphia Division Demilitarized Zone Core
Point and Firing Cutout Zone
Pollution Abatement Lab
Power Testing Closed Enclave
Propulsar Analysis and Design – Closed Enclave
Q50-CCN
Radar Signature Measurement System
Radar Support Environment
RAPID-SIL-cRDT&E
Real Time Administration of Reservists
Real-Time Extraction & Analysis Processor
Reentry Systems Simulator
Remote Data Acquisition System
Scalable Integrated Bridge Systems
SENSENET-Classified
Ship/Sub Environment and Missile Simulation
Shipboard Data Collection and Distribution System
Single Simulation Framework
SLICKWave
Smart Dispensing Van
South Florida Ocean Measurement Facility – Sensor Network
Southeast Alaska Acoustic Measurement Facility
Spectrum Department – Centrally Managed
SPY Data Analysis and Firmware Environment
SPY-3 GENSER Network Connection
Standalone Asymmetric Systems
Strategic Obsolescence Initiative
Strategic Systems Trident Lab Standalones
Strike Systems Development Network
Structural Analysis Lab
Structural Data Processing System
Submarine Acoustic Receiver/Transmitter System
Summarized Management Analysis Resource Tool
Surface Missile Systems Maintenance Data System–Classified
Surface Missile Systems Maintenance Data System–Unclassified
Survivability and Protection Analysis Computing Center
Survivability Data Acquisition Lab
Synthetic Aperture Radar Fielded System
System Security Engineering (SSE) Software Analysis Lab
Systems for Power & Protection
Tactical Software Support Center – Classified
Tactical Software Support Center
Tactical Systems Branch Lab
Target and Range Information Management System
Technical Data Knowledge Management
Test & Maintenance Computing Infrastructure
National Command, Senior Non-Command Billet Screening and Assignment Program
Theater Medical Data Store
Tomahawk Data Reduction System
Tomahawk Test and Development Network
Tomahawk Test Network
Total Ship Monitoring System
Trouble Failure Reporting
TUBAWEB
Unclassified Asymmetric System
Unclassified Electromagnetic Mission Assurance Center
Unclassified Engagement Systems Computing Lab
Unclassified Engagement Systems Server and Unix Client Lab
Unclassified Integrated Processing Environment
Unclassified Mission Assurance Decision Support System
Unclassified RDT&E Infrastructure
Unclassified W Department Computing, Display and Fiber Optic Evaluation Environment
US Coast Guard Machinery Control System, Land Based Test Site
Vertical Launching System
Vertical Launching System (VLS) Next Generation Interface Test Set
Weapons Technical Intelligence Exploitation Analysis Tool Development Lab
Advanced Telemetry System – Classified
Advanced Telemetry System – Unclassified
AEGIS Support System
Air Force Medical Operations Agency
Air Traffic Control System
AMES Legacy Deployment Suite
Antisubmarine Weapon Control System
Applied Mechanics Lab
Assessment and Identification of Mine Susceptibility
ASW Support Network
Automated Budget Module
Base Level Item Tracking System
Budget Analysis Evaluation Reporting System
BUMED Manpower Information System
Calibration Lab Tracking System
Calibrations Automation and Readiness Reporting
Carderock Division Intranet
Carderock Division Unclassified Standalone Code 10
Carderock DMZ Core
Carderock Lenel Monitoring System
Carderock Public Address Network
CASREP Information System
Charade Red Testing System
Chemical, Biological, Radiological
Classified Asymmetric System
Classified Electromagnetic Mission Assurance Center
Classified LABNET Test Set Application
Classified Mission Assurance Decision Support System
Classified SEMCIP Technical Assistance Network
Coherent Data Collection System
Command Information Web Service
Command Multi-Media System
Confidential Shipboard Gridlock System
Conventional Ordnance Resource Program
Corona Classified RDT&E Network Infrastructure
Coupled Ocean/Atmosphere Mesoscale Prediction System On-Scene
Crane NMCI Classified Computing Infrastructure
Crane NMCI Computing Infrastructure
Crane Video Teleconferencing System
CVN Nimitz Class HM&E Network
DAC Wallops
DDG-51 Land Based Engineering Site
Dental Common Access System
Deployable Analysis & Data Reduction Systems
Directed Energy Test Lab
Distance Support Voice Over Internet Protocol
Distributed Engineering Plant
Distributed Tactical Communication System
Electromagnetic Trials
Electronic Attack System Engineering Lab
Electronic Badging and Access Control Systems Lab
Electronic Data Quality
Engineering and Calibration Component System
ESSM Logistics Information Management System
Expeditionary Electronic Warfare Systems Lab
Expeditionary Pack Up Kit
Gage Design & Certification
Gilligan Knowledge Base System
Global Deterrence and Defense Department Centrally Managed
GPS Ground Tracking System
Gun Weapon System
GWS MK 34
GWS MK 34 MOD 1
Homeland Defense Mission Assurane Portal
Hydrodynamic Analysis Network
Immunization Tracking System
Incentive Pay System
Information Management for Range Operations Center
Infrared & Electro-Optical Measurement
Integrated Warfare Systems Laboratory
IWSL RDT&E Tactical Support Enclave
Joint Department – Centrally Managed
Joint Effects Model
JXRS Training Lab
Lake Pend Oreille Weather System
Land Attack Systems Integration
Laser Weapons System
LCS Surface Warfare Mission Package
Legacy Systems Supportability Analysis Tools
Littoral Combat Ship Surface Warfare Mission Package
Littoral Combat Ship Surface Warfare RDT&E
LPD 17 ISEA/SSA
Magnetic Field Laboratory
MAGSIG
Maintenance Figure of Merit – Classified
Maintenance Figure of Merit – Unclassified
Maneuvering and Seakeeping Data Acquisition
Marine Air-Ground Task Force
Materials Division Lab
MCM-1 Class Integrated Ship Control System
Measurement Tracking Van
Medical Board Online Tri-Service Tracking
Medical Reserve Utilization Program
MET VAN Lab
Metrology and Calibration
MFOM-MRA Development Environment
Mission Assurance Division Unlassified Network
MK 41 Lab Test Suite
MK 41 Tactical Maintenance Suite
MK 41 Vertical Launching System (VLS) Component Configuration Tool
MK 41 Vertical Launching System (VLS) Data Web System
MK 41 Vertical Launching System (VLS) Software Development Network
MK 53 Decoy Launch System Research, Development, Test and Evaluation Lab \
MK116-MOD7-ASWCS
MK53 DECOY LAUNCH SYS SFTWR DEV STE
Mobile Radio Frequency Engineering & Evaluation Network
Modeling & Simulation Applications for Radiation Sciences Cluster
Motion Measurement System
MSS Department
NATO Seasparrow Performance Assessment Network
NAVSEA WebXtender/ApplictionXtender
Navy Medicine Online
Navy Reserve Data Warehouse
Navy Reserve Readiness Module
Navy Reserve Web Site-Decision Support System
Network Connected Centrally Managed – Classified
Network Connected Centrally Managed – Code 10
Network Connected Centrally Managed – Code 60
Network Connected Centrally Managed – Code 70
Network Connected Centrally Managed – Code 80
Network Connected Centrally Managed – Code 80
Night Vision Electro Optics
NSWC Corona DDG 1000 DREN
NSWC Crane Air Gap Workstations
NSWC Crane Classified PIT
NSWC Crane Classified Research, Development, Test and Engineering Infrastructure
NSWC Crane Intranet Website
NSWC Crane RDT&E Network – DMZ
NSWC Crane SharePoint – Classified
NSWC Crane Unclassified PIT – Industrial Equipment
NSWCDD Classified RDT&E Enclave
NSWCDD SDREN Network
NSWCDD Unclassified RDT&E Enclave
NULKA Telemetry Receiving Equipment
Online Computer Information Exchange
Ordnance Test & Evaluation PIT – Test Equipment
PDM – Classified
Philadelphia Division Demilitarized Zone Core
Point and Firing Cutout Zone
Pollution Abatement Lab
Power Testing Closed Enclave
Propulsar Analysis and Design – Closed Enclave
Q50-CCN
Radar Signature Measurement System
Radar Support Environment
RAPID-SIL-cRDT&E
Real Time Administration of Reservists
Real-Time Extraction & Analysis Processor
Reentry Systems Simulator
Remote Data Acquisition System
Scalable Integrated Bridge Systems
SENSENET-Classified
Ship/Sub Environment and Missile Simulation
Shipboard Data Collection and Distribution System
Single Simulation Framework
SLICKWave
Smart Dispensing Van
South Florida Ocean Measurement Facility – Sensor Network
Southeast Alaska Acoustic Measurement Facility
Spectrum Department – Centrally Managed
SPY Data Analysis and Firmware Environment
SPY-3 GENSER Network Connection
Standalone Asymmetric Systems
Strategic Obsolescence Initiative
Strategic Systems Trident Lab Standalones
Strike Systems Development Network
Structural Analysis Lab
Structural Data Processing System
Submarine Acoustic Receiver/Transmitter System
Summarized Management Analysis Resource Tool
Surface Missile Systems Maintenance Data System–Classified
Surface Missile Systems Maintenance Data System–Unclassified
Survivability and Protection Analysis Computing Center
Survivability Data Acquisition Lab
Synthetic Aperture Radar Fielded System
System Security Engineering (SSE) Software Analysis Lab
Systems for Power & Protection
Tactical Software Support Center – Classified
Tactical Software Support Center
Tactical Systems Branch Lab
Target and Range Information Management System
Technical Data Knowledge Management
Test & Maintenance Computing Infrastructure
National Command, Senior Non-Command Billet Screening and Assignment Program
Theater Medical Data Store
Tomahawk Data Reduction System
Tomahawk Test and Development Network
Tomahawk Test Network
Total Ship Monitoring System
Trouble Failure Reporting
TUBAWEB
Unclassified Asymmetric System
Unclassified Electromagnetic Mission Assurance Center
Unclassified Engagement Systems Computing Lab
Unclassified Engagement Systems Server and Unix Client Lab
Unclassified Integrated Processing Environment
Unclassified Mission Assurance Decision Support System
Unclassified RDT&E Infrastructure
Unclassified W Department Computing, Display and Fiber Optic Evaluation Environment
US Coast Guard Machinery Control System, Land Based Test Site
Vertical Launching System
Vertical Launching System (VLS) Next Generation Interface Test Set
Weapons Technical Intelligence Exploitation Analysis Tool Development Lab
RMF Efficiencies: How I-Assure saves you time and money
Categorize Select Implement Assess Authorize MonitorStep 1: Categorize Information System
The purpose of the Categorize Step is to guide and inform subsequent risk management processes and tasks by determining the adverse impact or consequences to the organization with respect to the compromise or loss of organizational assets—including the confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.
Our Efficiencies:
- Pre-mapped FIPS 199 information types
- Pre-mapped NIST SP 800-60 information types
- Ready made justifications to lower Provisional Impact Levels
Step 2: Select Security Controls
The purpose of the Select Step is to identify, select, tailor, and document the security and privacy controls necessary to protect the system and the organization commensurate with the risk to organizational operations and assets, individuals, other organizations, and the Nation.
Our Efficiencies:
- Tailored and ready to import Inheritance models
- Tailored Control Applicability models based on system architecture
- Tailored Implementation Plan imports
- Pre-made System Level Continuous Monitoring controls table
Step 3: Implement Security Controls
The purpose of the Implement Step is to ensure Security controls are implemented consistent with DoD and DoD Component IA architectures and standards, employing system and software engineering methodologies, security engineering principles, and secure coding techniques.
Our Efficiencies:
- Automated STIG implementation
- Automated documentation creation
- Traceable artifacts to test cases
- Automated documentation updates
Step 4: Assess Security Controls
The purpose of the Assess Step is to use the appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system.
Our Efficiencies:
- Automated STIG assessment
- Automated documentation review
- Full time ISSE support to the Validator
Step 5: Authorize Information System
The purpose of the Authorize Step is to determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.
Our Efficiencies:
- Fully traceable deliverables enables authorizing officials to make decisions quickly
- Quality of deliverables enables authorizing officials to make decisions quickly
- Full time support to quickly and efficiently answer questions and comments
- Full time support to quickly and efficiently make requested updates to the RMF deliverables
Step 6: Monitor Security Controls
The purpose of the Monitor Step is to maintain an ongoing situational awareness about the security and privacy posture of the system and the organization in support of risk management decisions.
Our Efficiencies:
- Automated scans to POA&M and Risk Assessment Report Tool
- Automated scan and POA&M comparison Tool
- Automated identification of hardware and software changes
- Automated documentation updates