Risk Management Framework Service Product Packages ensure mission partner compliance

Defense Information Systems Agency (DISA) Service Product packages provide mission partner authorizing officials (AO) a holistic view of their information systems risk posture. The packages are available to ensure compliance for mission partners who have programs and systems hosted within the DISA Computing Ecosystem.

Contained in the service packages are Control Correlation Identifiers (CCI), which allow high-level policy framework requirements to be decomposed and associated with low-level security settings to determine compliance with the objectives of that specific security control.

The DISA security control assessor (SCA) validates the packages, which are based on the services mission partners purchase from the agency. Mission partners inherit specific CCIs based on services managed by DISA.

“We are providing mission partners options based on their requirements and elected services. We are also saving mission partners time and resources by leveraging our tested, validated, and compliant CCIs,”said Stephanie Watt, chief of the Cyber Controls Section in the Computing Ecosystem’s Cyber Services Line of Business.

For example, Watt explained, mission partners on virtual operating environments have an option to select Service Package 4 or 5, which is “secure at will.” This enables DISA to make changes based on mission partner directed configurations, and the ability to secure at will without mission partner approval.

Although DISA has the authority to make changes to the system without mission partner approval, the agency will ensure the changes adhere to the change management process and make changes during the scheduled monthly maintenance downtime.

DISA transitioned from the DOD Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF) to integrate security and risk management activities into the information system development lifecycle.

“Another added benefit for mission partners is that these packages are in addition to, not a replacement of what the mission partner is currently inheriting from the DISA Data Center and Enterprise Infrastructure Backbone Network RMF packages. We are not replacing what is currently inherited, we are adding to it by providing more inheritance,” said Watt.

In addition to the DISA Service Product packages, the agency created additional packages to provide a foundation for mission partners to share, inherit, and operate within the RMF:

• The DISA Inherited Policy (DIP) Package contains DOD Chief Information Officer and DISA policy and guidance controls that are shared between DISA and mission partners. This package is “assess only” - there is no authority to operate or approval required by the mission partner.
  
  
• The DISA Data Center Package contains common, physical, and environmental controls for mission partners with programs and systems hosted within DISA data centers and field activities. This package must be approved by the DISA AO.
  
  
• The DISA Network Package contains common transport and network infrastructure controls for mission partners who utilize the DISA Computing Ecosystem Command Circuit Service Designators to transport and receive program and system information. This package must be approved by the DISA AO.

Mission partners can initiate the inheritance process by submitting an RMF requirements form via email to the DISA Computing Ecosystem Cyber Services Line of Business.  Once the form is validated, mission partners will request and receive inheritance via the Enterprise Mission Assurance Support Service (eMASS), a web-based application that automates the RMF process.

For more information about the RMF or the Service Product packages, please visit DISA’s Risk Management Framework customer portal (Common Access Card required).

Posted Jan. 23, 2018