Risk Management Framework Requirements

Source: https://csrc.nist.gov/CSRC/media/Projects/risk-management/images-media/RMF%20Logos/PNG%20Format/NIST%20RMF%20Graphc.png
Source: https://csrc.nist.gov/CSRC/media/Projects/risk-management/images-media/RMF%20Logos/PNG%20Format/NIST%20RMF%20Graphc.png

Posted on February 2, 2023 | Completed on December 29, 2022 | By: Philip Payne

Can you provide a checklist of requirements that DoD agencies use to set up an Authority to Connect (ATC), Authority to Test (ATT), or Authority to Proceed (ATP)?

The Cybersecurity and Information Systems Information Analysis Center (CSIAC) was asked to identify formal documentation that can be used to develop a list of cyber and standalone network security requirements associated with an Authority to Test (ATT),  Authority to Proceed (ATP), or Authority to Connect (ATC). According to the Defense Information System Network (DISN) Connection Process Guide (CPG), an ATC is a formal statement by the Connection Approval Office granting approval for a U.S. Department of Defense (DoD) information system (IS) to connect to the DISN; an Authority to Operate (ATO) Authorization is granted by an approving official for a DoD IS to process, store, or transmit information; and an ATO indicates a DoD IS has adequately implemented all assigned cybersecurity controls to the point where residual risk is acceptable to the approving official.  CSIAC pointed the inquirer to resources such as the NIST Cybersecurity Framework, NIST Risk Management Framework (RMF) Polices, and the DISN CPG. The inquirer was also directed to the “Select” step of RMF to select, tailor, and document the controls necessary to protect the system and organization commensurate with risk.

Want to find out more about this topic?

Request a FREE Technical Inquiry!

Focus Areas