RMF, Security Plans, POAMs: All Dynamic

Anyone who has ever used the Risk Management Framework (RMF) in two or more different organizations can attest to how dynamic RMF, Security Plans, and Plans of Action and Milestones (POAMs) are. They are so dynamic, in fact, that no two organizations utilize them the same. That’s one of the things that Information Assurance professionals both love and hate about them. RMF is so dynamic that it can be applied to any system at any organization. However, this same characteristic also makes it a challenge for organizations to fully wrap their arms around.

The Risk Management Framework Explained

The Risk Management Framework is a six step process developed by the National Institute of Standards and Technology (NIST) that is designed to combine security and risk management activities into the normal system development life cycle (SDLC) of a system. Organizations complete this task using the controls found in NIST SP 800-53 to assess their systems. Some organizations also use SP 800-53A, which is an addendum to the SP 800-53 that gives more details on assessing the selected controls for a system, as well as providing guidance for some overlays. Recognizing how dynamic this framework is, NIST continuously provides updates. The current revision of RMF is 4, which was adopted by the federal government in 2014. Revision 5 is expected to be released before the end of calendar year 2017. While it can be cumbersome to change from one revision to another so quickly, it is often to the benefit of the organizations. Often times, the new revisions capture what the previous revision did not address. The RMF is a continuous process, which by design does not end until the system is decommissioned. While RMF is designed to be ongoing, many government organizations have not adopted a true “continuous monitoring” state for their systems. Instead, many organizations continue to re-accredit their systems every 3 years. These re-accreditation efforts are very labor and time intensive, causing many organizations to have systems that are not in compliance.

So Many Security Controls!

In addition to using the RMF to accredit their systems, many organizations have created organization-specific controls to address security vulnerabilities within systems that are not captured in the current version of the NIST SP 800-53. There are 18 security control families in SP 800-53 with over 1,000 controls to choose from. Some of these controls are rolled into one control. For example, SI-4 has 24 control enhancements that can be applied. If the control is applicable to the system, each enhancement must be addressed, even if it is to say that the enhancement is not applicable to the system. With these numbers, it is easy to see how burdensome the task of accrediting and maintaining the security of a system can be resource draining.


Security plans are expansive documents written to give details on the system such as its use, interconnections, location, etc. In this document, each control and enhancement is accounted for. The Information System Security Officer (ISSO) is responsible for recording the implementation status for each control. ISSO’s can choose the following for the status: Implemented, Compensated, Not Implemented, Planned. Whatever the status, there must be a detailed explanation for each finding. On controls where there are enhancements, this status must be listed and explained for each enhancement. This part of the RMF is what takes ISSO’s the largest amount of time to complete. It is an extremely cumbersome task that requires coordination and cooperation from many different teams, much like an elaborately arranged symphony that only works if the entire orchestra works together. The size of a security plan is heavily dependent on how many controls are applicable to the system.


Plans of Action and Milestones (POAMs) are a critical element of the RMF process. It is rare that a system is accredited with no lingering vulnerabilities. Even those that are often experience a vulnerability present on the system at one time or another. It is important to track these vulnerabilities in a comprehensive way. This is done using POAMs. The POAM task is ongoing from accreditation to decommission of all systems. It documents each vulnerability found on a system that cannot be remediated within 30 days. Each POAM has a number, Title, Creation Date, Description of the Weakness, Severity Code, Point of Contact, and Funding Resources Required, Milestones, and Overall Status required to be entered. There is also a multitude of optional information that can be entered to better keep record of the vulnerability. Once a POAM is created, it never goes away. This allows the stakeholders to view an entire history of the system’s vulnerability as desired. Many organizations use POAMs to determine if a system is allowed to maintain its Authority to Operate (ATO). Systems that have historic evidence of POAMs remaining open for extended periods of time risk having their ATO revoked.

The overall importance of POAMs is often not understood, to the detriment of many organizations. POAM information is required to be reported to FISMA and can alter the compliance status of an entire organization. For example, if you have an organization with five components and one component has 20% of the entire organization’s POAMs. If all of those POAMs are in a failing status, because they were not remediated within specified time period, that one component can cause the entire organization to receive a failing score for FISMA compliance. This level of visibility is enough to give an organization undesired attention.

How ATO as a Service Can Help You

Currently, the RMF, Security Plan, and POAMs all require a considerate amount of manual effort. Can you imagine the amount of relief ISSO’s would receive if even a few of the most critical tasks were automated? This is where cFocus comes in. We are using data provided by industry experts to streamline this process using ATO as a Service (ATOaaS). cFocus’ ATOaaS has the potential to improve efficiency within organizations by removing some of the manual effort associated with securing an ATO. cFocus utilizes a custom SharePoint site that is customized to each organization’s specific requirements. Using ATOaaS will allow stakeholders such as the CIO, AO, and CISO to effectively manage digital artifacts required for RMF. ATOaaS is a critical component for managing on-going ATO’s, continuous monitoring, and improvement and change management process that utilize the RMF.