Objective
The objective of this project was to provide a prescriptive, step-by-step method to facilitate and accelerate Risk Management Framework (RMF) Self-Assessments through automation. Supporting objectives include:
- Low cost implementation
- Effective resource for all aspects of Facility-Related Control Systems (FRCS) owner security planning and implementation
- Intuitive, highly repeatable and applicable across system types
- Clear delineation of cybersecurity stakeholder actions
- Government support of integration with RMF processes, such as Reciprocity and Reuse
Technology Description
The RMF Self-Assessment Tool (R-SAT) is an Excel based tool that was designed to streamline the process for obtaining an Authority to Operate for network-enabled FRCS by providing focused, step-by-step guidance and outputs supporting RMF Steps 1-3. R-SAT works in conjunction with the Enterprise Mission Assurance Support Service (eMASS) government-owned application. R-SAT’s customized Visual Basic macros apply user inputs against a series of condition-specific integrated databases to produce output forms for additional tailoring and subsequent eMASS upload. R-SAT was demonstrated and circulated to FRCS stakeholders.
Demonstration Results
The findings and performance assessment from the demonstration and outreach provide evidence that R-SAT is a useful tool that will yield a time savings to FRCS system owners that must perform RMF Self Assessments.
Performance Assessment: The objectives of the project were assessed using quantitative (reduction of labor hours to complete RMF) and qualitative (user acceptance) performance metrics. FRCS Stakeholders were sampled between August 2018 and the Short Course demonstration at the ESTCP Symposium on December 5, 2019. The performance objectives and findings indicate that R-SAT will contribute a time savings and value to FRCS stakeholders.
Cost Assessment: R-SAT is free for public use and performance metrics demonstrate a cost savings in terms of labor hours. R-SAT functionality may be impacted by updates to eMASS or FRCS policy and guidance. Updates to R-SAT will be necessary to keep pace. Therefore, a cost estimate for ongoing maintenance of R-SAT by a designated Federal organization was estimated.
Implementation Issues
There are however some implementation issues. R-SAT is a tool that requires a learning curve for users in order to understand the functionality and tailoring options. The software was designed to be intuitive and user friendly; however, users must be willing to invest upfront time in learning the software. Additionally, R-SAT is an Excel worksheet with Visual Basic programming and some users may have concerns with using a macro-enabled Excel document. Finally, R-SAT’s functionality may be impacted by updates to eMASS or FRCS policy and guidance; therefore, updates to R-SAT will be necessary to keep pace.