Risk Management Framework (RMF) Consulting Services for Product Developers
The Product Developer's Dilemma
As a product developer offering (or wishing to offer) your product(s) for sale to the federal government, you will sooner or later run into the dreaded “RMF/RMF wall.” Potential customers may ask you if your product has been authorized or accredited, or even ask for a copy of your product’s “certificate.” However, unlike many other government product certification programs, you as a vendor cannot independently seek RMF security authorization of your product!
The RMF (and its Security Authorization component) is fundamentally a government process, carried out by government people. Formal authorization is required before federal agencies can place systems into operation. Many of those systems contain, or are comprised of, products purchased from commercial vendors. The question is – what can the government reasonably expect vendors to provide in support of this authorization effort?
First and foremost, the answer is information – in the form of documented evidence of compliance with applicable federal security requirements. Product developers can maximize their “readiness” for formal authorization by:
- thoroughly analyzing their products' compliance with applicable security requirements
- making product improvements to enhance compliance where necessary
- documenting compliance in a manner that is readily usable and understandable by government customers and conducive to a determination of risk acceptability.
Secondly, the answer is support and teamwork. Even though RMF is the government’s own process, it is often not well understood by the government people tasked with carrying it out. The best way to ensure success is for the government and the vendor to work as a team. A knowledgeable vendor can facilitate the process and gain valuable credibility with the federal customer at the same time.
In response to these needs, the FISMA Resource Center is pleased to offer the following consulting services geared specifically to address the needs of product developers and vendors:
- RMF Compliance Survey – a “short-turnaround” service to provide you with a basic view of your product’s compliance with applicable federal security requirements, and a set of practical recommendations for compliance improvement.
- RMF Readiness Assessment – a much more comprehensive service that includes extensive “hands on” testing to provide a detailed view of your product’s compliance, detailed technical recommendations, and a security documentation package formatted according to government standards.
- RMF Liaison Consulting Services – a consulting service designed to help “bridge the gap” between your organization and your current or potential federal customers.
RMF Compliance Survey
Our RMF Compliance Survey consulting engagement is designed to quickly provide an assessment of your product’s level of compliance with federal security standards and offer practical recommendations for compliance improvement. A RMF Compliance Survey can typically be completed in 21 days or less, and includes the following activities:
- In-brief teleconference. In this meeting, we present a short overview of FISMA and RMF, receive a product overview from your company, identify key individuals within your organization, and identify documents for review.
- Interview and document review. We will review the documents you have provided, supplemented by discussion with appropriate persons in your organization, in order to gather additional information about your product and begin to evaluate its security functionality against the applicable federal information security controls and standards.
- On-site compliance review. We will meet with your team to review the federal information security requirements and assess your level of compliance.
- Written report. We will document the results of these activities in an RMF Compliance Survey Report, consisting of an executive summary and an evaluation of your product’s compliance, including recommended steps for compliance improvement.
RMF Readiness Assessment
Our RMF Readiness Assessment consulting engagement offers a much more detailed compliance evaluation, including “hands on” testing of your product. Depending on the complexity of your product, a RMF Readiness Assessment may take 10-12 weeks, or more, to complete. Typically, the RMF Readiness Assessment will entail the following activities:
- In-brief. If you have not already completed a RMF Compliance Survey, we will conduct an inbrief teleconference as described above.
- Document reviews and discussions. We will review your product documentation at a technical level, and conduct interviews with appropriate personnel within your organization.
- Test plan. Based on review of your product documentation and follow-up technical discussions, we will develop a comprehensive plan for testing your product’s security functionality and compliance.
- On-site testing. We will spend several days at your facility conducting observations and “hands on” testing (with a variety of security testing tools), along with follow-up discussions, in order to evaluate the technical aspects of your product’s security.
- Analysis. Information from document reviews, discussions and on-site testing will be analyzed to produce a detailed assessment of compliance with each of the applicable federal requirements, and to develop a set of recommendations for compliance improvement and risk mitigation.
- In-process briefing. We will verbally present the “highlights” of our findings and recommendations.
- Development of deliverables. In addition to a comprehensive RMF Compliance Report and executive summary, we will also provide a documentation package (System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR), and Plan of Action and Milestones (POA&M)), formatted in accordance with federal standards.
- Outbrief meeting, in which we present our “final” set of findings and recommendations, based on the deliverable documents.
The deliverables from the RMF Readiness Assessment will play a major role in facilitating formal authorization of your product’s “installed base” within the federal government. Also, they will serve as a powerful weapon in your company’s marketing arsenal. In some cases, this can be the “competitive edge” that separates your product offering from that of your competitors.
RMF Liaison Services
Our RMF Liaison consulting engagement is designed to assist you in working with your government customers (and potential customers) on security-related matters. Services we can perform in this capacity include, but are not limited to:
- participation in pre- or post-sales meetings with your government customers as an information assurance “subject matter expert”
- assisting your government customers in understanding your product’s security features and regulatory compliance, or even the RMF itself
- assisting your staff in drafting appropriate security language for proposals and marketing material
- assisting your staff in drafting security-related language in technical documentation such as product installation and operating manuals, etc.
- RMF Training
- RMF Resource Center is an independent consulting organization dedicated to assisting federal agencies and their suppliers in understanding and implementing the RMF.
- RMF Resource Center is a division of BAI Information Security Consultants. BAI has been a provider of information technology and security consulting services since 1974, specializing in security authorization (certification and Accreditation) of federal information systems. BAI founder and principal consultant Lon Berman has over 35 years’ experience and is a recognized authority on certification and accreditation of federal information systems.