NIST 800-37.2 and federal Risk Management Framework; all SCADA systems
Posted: Mon Mar 16, 2020 1:27 pm
Some thoughts about this, I was relieved recently to find that ALC corporate is making great strides in generating materials to perform a "type accreditation" for their system. What I found interesting was that under these NIST standards there is no such thing as a across the board product getting "certified to operate", each installation must go through the RMF process and receive certification via the local "authorizing official". Not sure how some other vendors are handling that, but there must be similar things going on behind the rumors and any rumor saying they are certified is BS. There's not actually a term certificate to operate in RMF.
ALC's "type accreditation" will use terms like "accredited in other facilities". It will also have "attestation" documentation from third party security penetration tester assessors and their findings. Basically it will be a package of docs stating that the product software and hardware supplied by ALC has been investigated and complies with NIST 800-37.2. This will be a huge burden off of the dealers and branches.
Type accreditation only gets you about 80% of the way there because RMF covers the entire installation. Physical security and networking are typically out of scope of controls work. Good news is that seems to be spelled out in section 4.010.06 in that the design (the engineer), construction, and internal IT must be involved in the process. Not optional.
Also what I found interesting is that this applies to ALL FEDERAL BUILDINGS, not just military bases etc. At the moment it seems in areas like ours it's being ignored, to the point where when we ask to identify the RMF authorizing official we generally don't get a clear answer. Yes we see it come up in bids they want it (required to) but the local people don't actually want to go through all the work.
One of the angles I especially like is that RMF requires recertification every three years. I can't tell you how many government facilities simply restrict access to the controls system and ignore it, never mind that version hasn't been supported for a couple years and it's on an OS that's end of life.
ALC's "type accreditation" will use terms like "accredited in other facilities". It will also have "attestation" documentation from third party security penetration tester assessors and their findings. Basically it will be a package of docs stating that the product software and hardware supplied by ALC has been investigated and complies with NIST 800-37.2. This will be a huge burden off of the dealers and branches.
Type accreditation only gets you about 80% of the way there because RMF covers the entire installation. Physical security and networking are typically out of scope of controls work. Good news is that seems to be spelled out in section 4.010.06 in that the design (the engineer), construction, and internal IT must be involved in the process. Not optional.
Also what I found interesting is that this applies to ALL FEDERAL BUILDINGS, not just military bases etc. At the moment it seems in areas like ours it's being ignored, to the point where when we ask to identify the RMF authorizing official we generally don't get a clear answer. Yes we see it come up in bids they want it (required to) but the local people don't actually want to go through all the work.
One of the angles I especially like is that RMF requires recertification every three years. I can't tell you how many government facilities simply restrict access to the controls system and ignore it, never mind that version hasn't been supported for a couple years and it's on an OS that's end of life.