1 1 00:00:00,090 --> 00:00:01,680 In this lesson, I want to give you 2 2 00:00:01,680 --> 00:00:04,740 some basic thoughts on RMF that are important to realize 3 3 00:00:04,740 --> 00:00:07,980 before we start diving into each of the steps individually. 4 4 00:00:07,980 --> 00:00:10,230 Now for most of us who are working in the field, 5 5 00:00:10,230 --> 00:00:12,750 our goal in using RMF is to be able to gain approval 6 6 00:00:12,750 --> 00:00:15,450 to operate some kind of a sensitive system, 7 7 00:00:15,450 --> 00:00:17,700 or some kind of a support system. 8 8 00:00:17,700 --> 00:00:19,860 Now, for most of us working in the field, 9 9 00:00:19,860 --> 00:00:22,680 we are going to be using RMF in order to gain approval 10 10 00:00:22,680 --> 00:00:25,950 to operate a sensitive system within the federal government 11 11 00:00:25,950 --> 00:00:27,630 because that is the biggest consumer 12 12 00:00:27,630 --> 00:00:31,050 of using the RMF or risk management framework. 13 13 00:00:31,050 --> 00:00:33,720 That being said, there are some government contractors, 14 14 00:00:33,720 --> 00:00:35,790 as well as a lot of commercial institutions, 15 15 00:00:35,790 --> 00:00:39,000 that also use RMF in their own business practices. 16 16 00:00:39,000 --> 00:00:41,040 For this reason, it's important to understand 17 17 00:00:41,040 --> 00:00:43,830 exactly how it's going to be implemented in your organization, 18 18 00:00:43,830 --> 00:00:46,770 and how strictly they're going to follow RMF. 19 19 00:00:46,770 --> 00:00:48,270 Now, you may have noticed I used the word 20 20 00:00:48,270 --> 00:00:51,630 sensitive system when saying that we wanted to gain approval 21 21 00:00:51,630 --> 00:00:53,310 for something using RMF. 22 22 00:00:53,310 --> 00:00:54,150 And you may be wondering, 23 23 00:00:54,150 --> 00:00:56,850 what exactly is a sensitive system? 24 24 00:00:56,850 --> 00:00:58,830 Well, a sensitive system is a system 25 25 00:00:58,830 --> 00:01:01,290 that contains or processes sensitive data 26 26 00:01:01,290 --> 00:01:03,960 or plays a key role in mission support. 27 27 00:01:03,960 --> 00:01:06,930 Now that brings up two additional terms we have to define, 28 28 00:01:06,930 --> 00:01:10,380 these are sensitive data and mission support. 29 29 00:01:10,380 --> 00:01:12,270 Now when I talk about sensitive data, 30 30 00:01:12,270 --> 00:01:15,330 I'm really talking about information that must be kept safe 31 31 00:01:15,330 --> 00:01:18,150 and out of reach from any outsiders unless they have 32 32 00:01:18,150 --> 00:01:20,790 specific permission to be able to access it. 33 33 00:01:20,790 --> 00:01:23,250 If you come from an information security background, 34 34 00:01:23,250 --> 00:01:25,620 when you think of sensitive data, you may think of things 35 35 00:01:25,620 --> 00:01:28,020 like classified data, like secret data, 36 36 00:01:28,020 --> 00:01:30,330 or top-secret data in a military context, 37 37 00:01:30,330 --> 00:01:32,550 and that is one type of sensitive data. 38 38 00:01:32,550 --> 00:01:34,950 But data doesn't have to be classified 39 39 00:01:34,950 --> 00:01:36,600 in order to be sensitive. 40 40 00:01:36,600 --> 00:01:39,840 For example, if I took a copy of your medical record, 41 41 00:01:39,840 --> 00:01:41,730 that would be considered sensitive data 42 42 00:01:41,730 --> 00:01:43,890 because there's a lot of laws and regulations 43 43 00:01:43,890 --> 00:01:46,800 that have to do with medical data being held by somebody. 44 44 00:01:46,800 --> 00:01:48,930 And that all falls under the HIPAA protections 45 45 00:01:48,930 --> 00:01:50,730 inside of the United States. 46 46 00:01:50,730 --> 00:01:53,400 Now in addition to that, there's also rules that affect 47 47 00:01:53,400 --> 00:01:55,530 how you're going to store educational data. 48 48 00:01:55,530 --> 00:01:58,800 So if I was working at a public university and I had a list 49 49 00:01:58,800 --> 00:02:02,220 of your grades for my course, that data has to be protected 50 50 00:02:02,220 --> 00:02:06,060 under FERPA, which is another law here in the United States. 51 51 00:02:06,060 --> 00:02:08,550 In addition to having things that are protected legally, 52 52 00:02:08,550 --> 00:02:10,440 there's also data that we consider sensitive, 53 53 00:02:10,440 --> 00:02:13,530 even if there's no requirement from a regulatory perspective 54 54 00:02:13,530 --> 00:02:15,360 that says we have to protect it. 55 55 00:02:15,360 --> 00:02:17,910 A good example of this might be a vulnerability scan 56 56 00:02:17,910 --> 00:02:20,580 that you just conducted of your organization's network. 57 57 00:02:20,580 --> 00:02:22,830 So you just scanned your network and you found 58 58 00:02:22,830 --> 00:02:25,050 all the vulnerabilities on all of your servers 59 59 00:02:25,050 --> 00:02:27,450 and desktops and laptops and tablets, 60 60 00:02:27,450 --> 00:02:28,890 what are you going to do with that data? 61 61 00:02:28,890 --> 00:02:30,300 Are you just going to place it on a hard drive 62 62 00:02:30,300 --> 00:02:32,190 someplace that anybody can access? 63 63 00:02:32,190 --> 00:02:33,150 Well, no, of course not, 64 64 00:02:33,150 --> 00:02:35,160 because that is the keys to the kingdom. 65 65 00:02:35,160 --> 00:02:36,840 If an attacker got ahold of that, 66 66 00:02:36,840 --> 00:02:38,550 you've done all the reconnaissance for them 67 67 00:02:38,550 --> 00:02:40,470 and they know exactly where to attack you. 68 68 00:02:40,470 --> 00:02:43,710 So we would consider that to be sensitive data as well. 69 69 00:02:43,710 --> 00:02:45,330 So I think you get the idea when I talk about 70 70 00:02:45,330 --> 00:02:48,300 sensitive data, we're not just talking about classified data 71 71 00:02:48,300 --> 00:02:50,730 or regulated data, but there's other data 72 72 00:02:50,730 --> 00:02:53,040 that could be sensitive to your organization 73 73 00:02:53,040 --> 00:02:55,590 and you want to make sure that's well protected too. 74 74 00:02:55,590 --> 00:02:57,450 Now, the second definition we have to make 75 75 00:02:57,450 --> 00:02:59,370 is what's called mission support. 76 76 00:02:59,370 --> 00:03:02,280 And you may be wondering, what is mission support? 77 77 00:03:02,280 --> 00:03:05,280 Well, this is a term that's used inside the OMB Circular 78 78 00:03:05,280 --> 00:03:08,700 as well as in RMF, and when we talk about mission support, 79 79 00:03:08,700 --> 00:03:10,890 we are talking about any kind of system 80 80 00:03:10,890 --> 00:03:13,620 that is going to be used to assist another system 81 81 00:03:13,620 --> 00:03:16,320 in the accomplishment of their objectives. 82 82 00:03:16,320 --> 00:03:18,660 So if I think about back to my military days, 83 83 00:03:18,660 --> 00:03:20,550 we used to have a system that allowed us to see 84 84 00:03:20,550 --> 00:03:22,710 the position of all of the enemy aircraft 85 85 00:03:22,710 --> 00:03:24,570 and ships that were near us. 86 86 00:03:24,570 --> 00:03:27,390 This system is something we used for command and control. 87 87 00:03:27,390 --> 00:03:30,240 Now the data inside of that system was classified 88 88 00:03:30,240 --> 00:03:32,010 to the level of the network it was on. 89 89 00:03:32,010 --> 00:03:34,230 So if I was on an unclassified network, 90 90 00:03:34,230 --> 00:03:36,840 I would have unclassified data, such as the location 91 91 00:03:36,840 --> 00:03:39,780 of cruise ships and container ships and things like that. 92 92 00:03:39,780 --> 00:03:42,060 But if I went to a secret network, I could see 93 93 00:03:42,060 --> 00:03:45,510 secret information such as, where are the enemies located? 94 94 00:03:45,510 --> 00:03:47,070 If I went to the top-secret network, 95 95 00:03:47,070 --> 00:03:49,050 I could get additional information such as, 96 96 00:03:49,050 --> 00:03:51,450 how do I know where those enemies are actually at? 97 97 00:03:51,450 --> 00:03:53,280 And that involves the technology involved 98 98 00:03:53,280 --> 00:03:56,070 in locating those folks, not just their position. 99 99 00:03:56,070 --> 00:03:59,220 So all that data is going to be kept in the system 100 100 00:03:59,220 --> 00:04:01,170 based on the classification level of the system, 101 101 00:04:01,170 --> 00:04:02,940 that's the sensitive data part. 102 102 00:04:02,940 --> 00:04:05,250 Now in addition to that, this system which was critical 103 103 00:04:05,250 --> 00:04:07,800 to us achieving our mission also got data 104 104 00:04:07,800 --> 00:04:09,630 from lots of other systems, 105 105 00:04:09,630 --> 00:04:13,020 and those systems may have been unclassified sources. 106 106 00:04:13,020 --> 00:04:15,600 For example, in the Navy, one of the sources of data 107 107 00:04:15,600 --> 00:04:17,970 we get is what's known as AIS, 108 108 00:04:17,970 --> 00:04:20,820 which is the automatic identification system. 109 109 00:04:20,820 --> 00:04:23,610 Every commercial ship out there, whether it's a cruise ship 110 110 00:04:23,610 --> 00:04:26,190 or a fuel tanker, they all have to have a beacon 111 111 00:04:26,190 --> 00:04:28,350 on their ship that says, here I am, 112 112 00:04:28,350 --> 00:04:30,660 this is my purpose and here is my location, 113 113 00:04:30,660 --> 00:04:32,100 and here's my next port of call. 114 114 00:04:32,100 --> 00:04:34,890 And all that data is considered unclassified. 115 115 00:04:34,890 --> 00:04:36,510 But we may take that data 116 116 00:04:36,510 --> 00:04:38,970 and move it into a classified system as well. 117 117 00:04:38,970 --> 00:04:41,040 Because that unclassified system is now talking 118 118 00:04:41,040 --> 00:04:43,620 to this classified system that is supporting our mission, 119 119 00:04:43,620 --> 00:04:46,740 it becomes something that is a key role in mission support, 120 120 00:04:46,740 --> 00:04:48,240 and therefore we would want to make sure 121 121 00:04:48,240 --> 00:04:49,620 we have the proper protections 122 122 00:04:49,620 --> 00:04:52,290 and put it through the RMF process as well. 123 123 00:04:52,290 --> 00:04:54,480 Now, the reason this is important to think about 124 124 00:04:54,480 --> 00:04:56,700 is because RMF doesn't have to be used 125 125 00:04:56,700 --> 00:04:58,860 for every single system you have, 126 126 00:04:58,860 --> 00:05:01,410 but it does have to be used to gain approval 127 127 00:05:01,410 --> 00:05:03,510 to operate any sensitive systems. 128 128 00:05:03,510 --> 00:05:06,300 And sensitive systems are those that contain or process 129 129 00:05:06,300 --> 00:05:09,930 sensitive data or play a key role in mission support, 130 130 00:05:09,930 --> 00:05:11,460 so keep that in mind. 131 131 00:05:11,460 --> 00:05:13,920 Now another thing we need to talk about when it comes to RMF 132 132 00:05:13,920 --> 00:05:15,780 is the fact that this is a framework, 133 133 00:05:15,780 --> 00:05:18,300 and a framework is not a checklist. 134 134 00:05:18,300 --> 00:05:20,400 A lot of times people who are new to RMF 135 135 00:05:20,400 --> 00:05:22,830 think they have to do everything inside of RMF 136 136 00:05:22,830 --> 00:05:25,620 and do it perfectly, exactly how it says, 137 137 00:05:25,620 --> 00:05:27,390 but that is not true. 138 138 00:05:27,390 --> 00:05:28,560 When it comes to RMF, 139 139 00:05:28,560 --> 00:05:31,500 it is not to be followed exactly as written. 140 140 00:05:31,500 --> 00:05:33,600 Instead, there's often going to be a difference 141 141 00:05:33,600 --> 00:05:36,210 between how RMF is documented and how it's actually 142 142 00:05:36,210 --> 00:05:39,300 interpreted by the organizations who are going to use it. 143 143 00:05:39,300 --> 00:05:42,930 Remember, RMF can be tailored for your organization. 144 144 00:05:42,930 --> 00:05:44,850 If you're using it in a very small environment, 145 145 00:05:44,850 --> 00:05:46,800 you may want to tailor it downwards. 146 146 00:05:46,800 --> 00:05:48,300 If you're using it in a larger environment, 147 147 00:05:48,300 --> 00:05:50,130 you may want to scale it upwards. 148 148 00:05:50,130 --> 00:05:52,530 And, again, depending on the size of your system, 149 149 00:05:52,530 --> 00:05:54,870 you can scale it up or down as well too. 150 150 00:05:54,870 --> 00:05:58,050 Now, this ability to scale RMF upwards or downwards 151 151 00:05:58,050 --> 00:06:00,750 may seem really strange to you, especially if you come 152 152 00:06:00,750 --> 00:06:03,120 from a federal government or military background. 153 153 00:06:03,120 --> 00:06:05,670 And the reason for this is we tend to be used to people 154 154 00:06:05,670 --> 00:06:08,520 following rigid checklists and rigid procedures 155 155 00:06:08,520 --> 00:06:09,870 inside the Department of Defense, 156 156 00:06:09,870 --> 00:06:11,910 and most of the government at large. 157 157 00:06:11,910 --> 00:06:15,540 But each organization does have the ability and authority 158 158 00:06:15,540 --> 00:06:18,930 to interpret RMF and apply it as they see fit. 159 159 00:06:18,930 --> 00:06:22,410 According to the OMB Circular A-130, 160 160 00:06:22,410 --> 00:06:24,750 federal agencies must use RMF. 161 161 00:06:24,750 --> 00:06:28,590 But it doesn't dictate exactly how they have to use RMF, 162 162 00:06:28,590 --> 00:06:30,420 and that is where the power comes 163 163 00:06:30,420 --> 00:06:31,680 inside of your organization 164 164 00:06:31,680 --> 00:06:34,770 and specifically from your authorizing officials. 165 165 00:06:34,770 --> 00:06:36,750 So, what does this mean in the real world? 166 166 00:06:36,750 --> 00:06:39,480 Well, it means that some organizations are going to be better 167 167 00:06:39,480 --> 00:06:42,090 than others at interpreting it and figuring out the ways 168 168 00:06:42,090 --> 00:06:44,730 that they're going to identify risk, prioritize that risk, 169 169 00:06:44,730 --> 00:06:47,460 identify the threats, perform their risk assessments, 170 170 00:06:47,460 --> 00:06:49,497 and manage the risks and mitigations. 171 171 00:06:49,497 --> 00:06:51,780 And they can do this very stringently 172 172 00:06:51,780 --> 00:06:53,460 and in a very well-defined process, 173 173 00:06:53,460 --> 00:06:57,540 or much more loosely if they're a more agile organization. 174 174 00:06:57,540 --> 00:07:00,420 This means you may not know where exactly to begin 175 175 00:07:00,420 --> 00:07:02,640 when you start working at a new organization 176 176 00:07:02,640 --> 00:07:05,550 and you're trying to tailor RMF for that organization. 177 177 00:07:05,550 --> 00:07:08,310 Instead, you need to start talking to other people 178 178 00:07:08,310 --> 00:07:09,690 in the organization and figure out, 179 179 00:07:09,690 --> 00:07:12,390 how is RMF done in your organization? 180 180 00:07:12,390 --> 00:07:15,150 Because every organization is a little bit different. 181 181 00:07:15,150 --> 00:07:16,980 Now, all the things we talk about in this course 182 182 00:07:16,980 --> 00:07:18,570 are applicable to RMF 183 183 00:07:18,570 --> 00:07:20,760 and you're going to be using them in your organization, 184 184 00:07:20,760 --> 00:07:23,910 but they may be done in slightly different ways. 185 185 00:07:23,910 --> 00:07:26,400 For example, when you do the selection process 186 186 00:07:26,400 --> 00:07:28,680 for your controls, how are you going to do that? 187 187 00:07:28,680 --> 00:07:30,930 Is this going to be done in hard copy, on paper? 188 188 00:07:30,930 --> 00:07:32,730 Is it going to be done in an Excel spreadsheet? 189 189 00:07:32,730 --> 00:07:33,810 What about an email? 190 190 00:07:33,810 --> 00:07:36,150 Maybe it's going to be using a specific system 191 191 00:07:36,150 --> 00:07:37,860 that's going to collect all that data for you 192 192 00:07:37,860 --> 00:07:39,630 and which controls you're going to select. 193 193 00:07:39,630 --> 00:07:41,220 There are many different ways to do it, 194 194 00:07:41,220 --> 00:07:43,740 and you don't have to do it any particular way. 195 195 00:07:43,740 --> 00:07:45,510 It really is up to your organization 196 196 00:07:45,510 --> 00:07:46,920 and how they want to do it. 197 197 00:07:46,920 --> 00:07:49,560 So I encourage you, if you're starting a new job 198 198 00:07:49,560 --> 00:07:51,840 and you're asked to do RMF, I want you to talk 199 199 00:07:51,840 --> 00:07:54,360 with your supervisor and other senior decision makers 200 200 00:07:54,360 --> 00:07:57,180 in your organization to find out which steps and tasks 201 201 00:07:57,180 --> 00:07:59,880 inside of RMF are particularly useful to them 202 202 00:07:59,880 --> 00:08:02,010 and which ones aren't, this will help you be able 203 203 00:08:02,010 --> 00:08:04,260 to tailor it for your organization. 204 204 00:08:04,260 --> 00:08:07,410 Also, remember, you cannot decide things in a vacuum 205 205 00:08:07,410 --> 00:08:08,970 when working in RMF. 206 206 00:08:08,970 --> 00:08:11,940 RMF, unlike a lot of other things in the IT world, 207 207 00:08:11,940 --> 00:08:15,690 requires massive collaboration across your organization. 208 208 00:08:15,690 --> 00:08:17,910 Very rarely is there going to be a single person 209 209 00:08:17,910 --> 00:08:20,370 who's going to do all seven steps of RMF. 210 210 00:08:20,370 --> 00:08:22,920 Instead, you may be involved with just steps one, 211 211 00:08:22,920 --> 00:08:25,950 two, and three, or you may only be involved with step six 212 212 00:08:25,950 --> 00:08:28,020 if you're a senior decision maker who's been told 213 213 00:08:28,020 --> 00:08:30,090 they're going to be the authorizing official. 214 214 00:08:30,090 --> 00:08:32,190 And so it's important to realize that RMF 215 215 00:08:32,190 --> 00:08:35,730 and your usage of RMF is going to vary depending on your job, 216 216 00:08:35,730 --> 00:08:38,730 role, and organization that you're working inside of. 217 217 00:08:38,730 --> 00:08:41,250 The final thing we need to talk about in terms of RMF 218 218 00:08:41,250 --> 00:08:44,130 is the fact that RMF has a lot of different supporting tools 219 219 00:08:44,130 --> 00:08:46,980 that you can use, but RMF is not considered 220 220 00:08:46,980 --> 00:08:49,530 a one-size-fits-all type of solution. 221 221 00:08:49,530 --> 00:08:52,650 Instead, everybody's going to be working at different scales, 222 222 00:08:52,650 --> 00:08:54,900 whether that's a bigger scale or a smaller scale, 223 223 00:08:54,900 --> 00:08:57,450 based on their own unique organizational needs. 224 224 00:08:57,450 --> 00:09:00,360 For example, RMF can be applicable to a large 225 225 00:09:00,360 --> 00:09:02,730 web-based piece of software that you're using 226 226 00:09:02,730 --> 00:09:04,950 as a Software as a Service, and this is going to be used 227 227 00:09:04,950 --> 00:09:08,160 by hundreds or thousands or hundreds of thousands of people. 228 228 00:09:08,160 --> 00:09:10,860 For example, I used to work with the United States Navy 229 229 00:09:10,860 --> 00:09:12,840 and they have a system called NSIPS, 230 230 00:09:12,840 --> 00:09:15,060 N-S-I-P-S, which stands 231 231 00:09:15,060 --> 00:09:17,970 for the Navy Standard Integrated Personnel System. 232 232 00:09:17,970 --> 00:09:21,300 This system is a web-based Software as a Service application 233 233 00:09:21,300 --> 00:09:23,220 that everybody in the Navy uses, 234 234 00:09:23,220 --> 00:09:25,020 whether they're a Navy person in uniform 235 235 00:09:25,020 --> 00:09:28,560 or a Navy civilian working for the Department of the Navy. 236 236 00:09:28,560 --> 00:09:31,470 Either way, this system is used for everything they do, 237 237 00:09:31,470 --> 00:09:34,020 including the ability for them to ask for vacation time, 238 238 00:09:34,020 --> 00:09:36,360 which they call leave inside of the Navy. 239 239 00:09:36,360 --> 00:09:38,940 In addition to that, they can go into that system and ask 240 240 00:09:38,940 --> 00:09:41,430 to be able to quit the Navy and retire once they've hit 241 241 00:09:41,430 --> 00:09:43,260 their 20 years if they're active duty, 242 242 00:09:43,260 --> 00:09:44,820 and lots of other things like that. 243 243 00:09:44,820 --> 00:09:48,450 And all of this is done inside this massive web-based system 244 244 00:09:48,450 --> 00:09:50,940 and that web based-system had to go through RMF 245 245 00:09:50,940 --> 00:09:53,250 and get approval to operate because it's containing 246 246 00:09:53,250 --> 00:09:55,410 a lot of sensitive data, in this case, 247 247 00:09:55,410 --> 00:09:58,920 a lot of PII or personally identifiable information. 248 248 00:09:58,920 --> 00:10:01,650 Now on the other hand, I've also used RMF in a lot 249 249 00:10:01,650 --> 00:10:03,840 of smaller tactical style systems 250 250 00:10:03,840 --> 00:10:05,880 that are only going to be used for a handful of people 251 251 00:10:05,880 --> 00:10:07,470 to support a specific mission, 252 252 00:10:07,470 --> 00:10:10,380 and it may only last for a specific amount of time. 253 253 00:10:10,380 --> 00:10:13,710 For example, many years ago, I went through the RMF process 254 254 00:10:13,710 --> 00:10:15,900 for a smaller network that was going to support 255 255 00:10:15,900 --> 00:10:18,180 about 50 to 100 users. 256 256 00:10:18,180 --> 00:10:20,250 This network had to be designed, engineered, 257 257 00:10:20,250 --> 00:10:23,610 and architected, and then installed on a ship at sea. 258 258 00:10:23,610 --> 00:10:25,950 This network was going to support 50 to 100 people 259 259 00:10:25,950 --> 00:10:27,270 that were going to come out to the ship, 260 260 00:10:27,270 --> 00:10:29,670 and they were going to be there for about two weeks for a major 261 261 00:10:29,670 --> 00:10:32,370 exercise with the US Navy's international partners. 262 262 00:10:32,370 --> 00:10:34,740 And because we had these international partners on the ship, 263 263 00:10:34,740 --> 00:10:37,530 they weren't allowed to use the regular ship-based network 264 264 00:10:37,530 --> 00:10:40,170 because that was only reserved for American crew members. 265 265 00:10:40,170 --> 00:10:42,570 So we had to create a substitute network 266 266 00:10:42,570 --> 00:10:44,220 that we allowed them to be able to access 267 267 00:10:44,220 --> 00:10:46,590 while they were at sea for that one to two weeks. 268 268 00:10:46,590 --> 00:10:48,330 Now, again, this was a smaller network 269 269 00:10:48,330 --> 00:10:49,980 for a very short period of time. 270 270 00:10:49,980 --> 00:10:51,750 And so as we built out that system 271 271 00:10:51,750 --> 00:10:53,880 and we built out our authorization boundaries, 272 272 00:10:53,880 --> 00:10:56,430 we kept it at a very small scale so we can move through 273 273 00:10:56,430 --> 00:10:58,950 the RMF process very quickly, gain approval, 274 274 00:10:58,950 --> 00:11:00,750 and then put this thing on the ship 275 275 00:11:00,750 --> 00:11:02,190 and allow people to use it. 276 276 00:11:02,190 --> 00:11:04,560 After the two weeks was done, we took down the network, 277 277 00:11:04,560 --> 00:11:06,930 removed all the equipment, and closed out that network, 278 278 00:11:06,930 --> 00:11:09,390 and the RMF authorization for it. 279 279 00:11:09,390 --> 00:11:11,010 This is what we're talking about when we talk about 280 280 00:11:11,010 --> 00:11:13,140 the ability to scale up or scale down 281 281 00:11:13,140 --> 00:11:15,480 based on the number of users and the scope of control 282 282 00:11:15,480 --> 00:11:17,460 for that system that is going to be authorized 283 283 00:11:17,460 --> 00:11:20,880 by the authorizing official in the RMF process. 284 284 00:11:20,880 --> 00:11:24,690 So remember, when it comes to RMF, it is not a checklist, 285 285 00:11:24,690 --> 00:11:26,580 it is a framework, which means you can pick 286 286 00:11:26,580 --> 00:11:28,020 and choose the things you need, 287 287 00:11:28,020 --> 00:11:29,880 based on your organization's requirements, 288 288 00:11:29,880 --> 00:11:32,040 but you can't do that in a vacuum. 289 289 00:11:32,040 --> 00:11:33,540 This is going to be something that's going to be a discussion 290 290 00:11:33,540 --> 00:11:36,450 between you, your supervisor, and the other decision makers 291 291 00:11:36,450 --> 00:11:39,300 in your organization to determine exactly how RMF 292 292 00:11:39,300 --> 00:11:41,370 is going to be implemented where you are. 293 293 00:11:41,370 --> 00:11:43,800 And then when it comes to using RMF, 294 294 00:11:43,800 --> 00:11:45,600 it can be done in many different ways 295 295 00:11:45,600 --> 00:11:48,900 from a very small scale thing on a PDF or a Word document. 296 296 00:11:48,900 --> 00:11:52,020 Or a very large scale thing like using eMASS, 297 297 00:11:52,020 --> 00:11:53,790 which is a tool we'll talk talk about later, 298 298 00:11:53,790 --> 00:11:56,520 that allows you to do RMF using a web-based 299 299 00:11:56,520 --> 00:11:59,010 Software as a Service application that can support 300 300 00:11:59,010 --> 00:12:01,500 these massive, large, and complex systems 301 301 00:12:01,500 --> 00:12:03,990 that you may be using if you're building large scale 302 302 00:12:03,990 --> 00:12:05,700 information systems that are going to be dealing 303 303 00:12:05,700 --> 00:12:08,343 with sensitive data inside of a federal agency.