Corsec Perspectives

RMF and Its Place in Security Certifications: What Is It and Is It Replacing UC APL?

RMF and Its Place in Security Certifications: What Is It and Is It Replacing UC APL?

As companies tap into the growing addressable markets for Commercial and FED, they are confronted with a litany of standards, acronyms and security validations they must overcome in order to stay relevant.   The list is daunting, and making sense of this has been our singular focus for the past 18 years. In that time, we have worked with over 400 products and our customers have come to us as they experienced strong growth, or interest in products from the Commercial and FED sectors, but have to overcome the list of security requirements as a pre-requisite to Market entry. Today, that list now includes RMF and companies that come to us are trying to figure out what RMF means, how it affects their go to market readiness and how it can help differentiate their product offerings in the market place.

Corsec’s Kathleen Moyer discusses the myths and nuances of RMF and how companies can leverage it to create competitive advantages. Kathleen addresses the key questions from some of the companies that have come to us.

What is RMF and How Does It Affect My Business?

RMF, the Risk Management Framework, is laid out in the Federal mandate DODI 8500.01. As part of the current implementation of the Federal Information Security Management Act (FISMA), RMF instructs DISA to develop and maintain SRGs, STIGs, and usage guides that are consistent with DOD cybersecurity policies. In addition, it states that DISA shall oversee and maintain the connection approval process (“provides existing and potential NIPRNET, DATMS-U, and OSD Commercial Internet Waiver subscribers with connectivity requirements that must be followed” – DISA). There are six steps inherent to RMF: categorize, select, implement, assess, authorize, and monitor.

In terms that industry can understand, RMF provides a structured approach to managing the risk associated with the incorporation of information systems into an organization. If an organization wants to sell its security product to the DoD, it needs to follow RMF. Therefore, if a company wants to penetrate any of the following US DoD markets: Air Force, Army, Marines, Navy, or National Guard, then it must ensure its security solutions adhere to the guidelines laid out in RMF.

Where Is the UC APL In This?

UC APL (Unified Capability Approved Product List) is a component of RMF; it is the connection approval process as defined by DoD 8100.04. Below are the four requirements for RMF:

  1. Unified capability products will receive unified capability certification for cyber security products in accordance with DoD 8100.04 (this is UC APL).
  2. Products that protect classified information must comply with CNSSP 11 (this calls for FIPS 140-2 and Common Criteria).
  3. Products must meet security configuration guidance in accordance with Chapter 113 and comply with the connection approval process established in Chairman of the Joint Chiefs of Staff Instruction 6211.02D (calls out DISA “connect approval” i.e. UC APL, as well as FIPS, Common Criteria, and Suite B)
  4. Products will comply with the requirements of DoD 5200.44 (covers supply chain management), as applicable.

Companies going through the UC APL Government Testing will get a SAR (Self Assessment Report) from the Test Center, which comes with a DIACAP Scorecard and 8500.2 IA Controls.  As JTIC tests the STIG/SRG requirements they are also testing these areas.  Vendors often do not see the filled out DIACAP Scorecard or 8500.2 IA Controls as it is can be buried in the plethora of forms that face them.

RMF is a replacement for DIACAP; UC APL testing provides a mapping to the old DIACAP scorecard. The STIGs and SRGs that are used in UC APL form a major piece of RMF. As the transition to RMF continues, the UC APL process will be modified to support RMF. The Test Reports, Plans of Action and Milestones, IA and IO certification’s received through the UC APL can be used to support the RMF process. The DIACAP scorecard will be replaced with a RMF Security Assessment Report (SAR). As a part of the UC APL process the vendor receives an IO Authorization from the DoD CIO. As a result, RMF also sets guidelines for FIPS, Common Criteria and Suite B.

How Does This Impact Certifications In-flight?

Every company’s approach to certifications and security validations is unique. Corsec reviews the ever-changing requirements and advises companies on what changes need to be made, and the implications in the broader landscape.

Conforming to RMF is Just One Piece of The Puzzle

If you have not started the process yet and are being asked to comply with RMF, perhaps we can help.

Contact us and help us understand how RMF is impacting you and how we can assist you.

FIPS & Common Criteria Security Certifications

Security Certification and Success

The numbers are in and with our partners help; Corsec has had one of its most successful quarters in company history! And the future looks even more promising. With the rising threat of security breaches in today’s technology landscape, the need for products that can deliver a high degree of trusted protection has been amplified.…

How Heartbleed Affects Your Security Certifications

How Heartbleed Affects Your Security Certifications

Much has been in the news over the past couple of months about the security vulnerability known as Heartbleed. It is of vital interest to businesses and consumers, but especially so for businesses with products intended to provide security for their users. There are some specific and unique impacts to companies who are planning or…

The Differences: Common Criteria Consultants Versus Labs

The Differences: Common Criteria Consultants Versus Labs

When someone starts to learn about Common Criteria (CC) evaluations, figuring out the difference between a CC consultant and a CC lab can be tricky. In Part 1 of this blog post, we looked at some differences in the specific work that consultants and labs perform. Now, in Part 2, we will look at the…

Common Criteria Consultant or Lab: Which Do You Need?

Common Criteria Consultant or Lab: Which Do You Need?

Your federal sales team has declared they can’t effectively sell to either the US Government or other government markets without Common Criteria (CC), and, as a result, your company has made the decision to pursue a CC evaluation. Now, you just need to figure out how to achieve this evaluation.  When you first start to…

Why a UC APL Listing Means More Than Just DoD Revenue

Why a UC APL Listing Means More Than Just DoD Revenue

What is the Unified Capabilities Approved Products List (UC APL) and why is it important to you? You’ve probably heard that it has to do with the Department of Defense — absolutely true and certainly very important. But there are other reasons that you should be concerned about getting your product onto the UC APL.…

Common Criteria Certification: Opening Doors to Opportunity

Common Criteria Certification: Opening Doors to Opportunity

Do you need to open the door to sell your IT security product to the U.S. government? That seems like it should be a process that is simple to work through, but think again. Any IT security product that will be used by the U.S. government for national security systems, either to handle classified and…

Maximize ROI: Market Your Certification

Maximize ROI: Market Your Certification

Taking the time, effort and resources to achieve FIPS or Common Criteria certification or UC APL listing is a big deal. It’s not an insignificant investment, and when it’s finally completed, you want to see a significant return, right? The most obvious solution is just to sell more product. And while this may seem both…

Entropy Testing for FIPS and Common Criteria: Tips for Meeting Requirements

Entropy Testing for FIPS and Common Criteria: Tips for Meeting Requirements

In the second post of our two-part series, we continue our discussion with panelists from Computer Sciences Corporation: Lachlan Turner, Jason Cunningham, and Maureen Barry. Continuing where we left off with last week’s post, we’ll dive deeper into entropy and answer some of the many questions now arising about new requirements, tools and testing, and…

Entropy Testing for FIPS and Common Criteria: What You Need to Know

Entropy Testing for FIPS and Common Criteria: What You Need to Know

In the world of cryptography, data is only safe as long as the keys used to protect that data are kept secure.  While, on one hand, this means that keys must be protected against unauthorized access, it also means that keys must be created in a way that makes them difficult for an attacker to…

Latest News

RMF and Its Place in Security Certifications: What Is It and Is It Replacing UC APL?

As companies tap into the growing addressable markets for Commercial and FED, they are confronted with a litany of standards, acronyms and security validations they must overcome in order to stay relevant.   The list is daunting, and making sense of this has been our singular focus for the past 18 years. In that time, we…

Security Certification and Success

The numbers are in and with our partners help; Corsec has had one of its most successful quarters in company history! And the future looks even more promising. With the rising threat of security breaches in today’s technology landscape, the need for products that can deliver a high degree of trusted protection has been amplified.…

Connect with Us

13135 Lee Jackson Memorial Highway, Suite 220 | Fairfax, VA 22033 | Tel: 703.267.6050

x
menu