confirm terminology of various stakeholders

[afeld]

What are the official terms for these groups?

• The project team / person who owns the project
• Those who write the System Security Plan (SSP)
• Those who review the SSP
• Those who assess the system

I thought I knew, but after talking with @trevorbryant, it seems our terminology wasn't consistent. Therefore, I'm questioning my assumptions. Places to check:

• NIST Glossary
• NIST SP 800-37r2 Appendix D

[trevorbryant]

With the understanding that NIST allows guidance for each agency to be flexible in their implementation of the Risk Management Framework, the below are what I've learned in other agencies. Keep in mind that this is not the same for every agency.

• The individual that owns the project is the Project Owner or _Project Sponsor.
• Those that author the SSP are unique to X agency. Some are progressive and the FTE authors the SSP, others are too large (~90 or more AIS to ATO) and have large contract teams of auditors/assessors to author. Mainly, everyone responsible to that ATO and operation to that system is a contributor to the SSP.
  • For example, Department of State / Consular Affairs has 30-40 auditors/assessors that author the SSP for ~92 systems (that's just one of many bureaus). Branches in DOD have 60+ for ~2000.
• The contributors double also the reviewers. The AO or assigned delegate for RMF 5 also review and give final approval. ATOs deliverables are too large and complicated for a single person or small team.
• Those who assess the system are the RMF teams.
  • RMF 1-3 team builds the ATO package and sets the assessment plan to execute.
  • RMF 4 executes and performs the assessment plan to ensure the package is accurate. A SAR is produced with findings to the project teams to resolve. POA&Ms are decided here if a finding can't be quickly resolved.
  • Together, the authorization package is produced and delivered to the RMF 5 / AO.
  • RMF 6 is CONMON and supposed to contribute ongoing changes to the SSP. This part is very hard and overall a challenge for the USG.
  • Separation of Duties are applied where necessary amongst the security teams to avoid gamification of the process.

Keep in mind that terminology and processes differ between agency. Agencies can redefine words to fit their needs and that just needs an explanation so everybody is on the same page. You'll see above that the process I've described is very waterfall. With automation introduced this can be adaptable to being Agile and speedy. I've gone a bit beyond the quick and simple scope of the original questions, but RMF is a complex effort / project in itself.