Tailoring Your System Package Controls Listing

When your system package is added you specify the confidentiality, integrity, and availability level for your system package you determined early on in the RMF process. Or the appropriate level if you are managing a FedRAMP or StateRAMP^TM package. These settings allow you to specify the specific NIST control families, major controls, and subcontrols that you must meet for system package compliance. Setting these levels gives you a default listing of controls and subcontrols you need to meet.

However, if applicable you can tailor your controls by adding and removing control families that match your system package. This is done with the Tailoring page in OpenRMF^® Professional. You must be a System Package Owner to use this page and update your settings. Otherwise, you can view but not change.

Updating Your Controls

To update your controls use the Tailoring page. This will show all your controls used on the left and then all available controls on the right. Use the arrows to add or remove controls from the listing. When done click the Save button and all major controls on the left will be added and set to your system package as the tailored listing.

If you wish to go back to the default RMF, FedRAMP or StateRAMP^TM controls after setting up Tailoring, click the Reset button at the bottom of that page to remove the tailored control listing.

NOTE: OpenRMF^® Professional applies tailoring, overlays, and generates compliance to the subcontrol level. So we use tailoring, overlays, and compliance at a level of AC-4(19) not just at the major control of AC-4. Keep this in mind as you determine your tailoring controls and overlays.

System Package Control Tailoring

What is Impacted by Control Tailoring

The list of controls you add or remove for tailoring affects a few key areas in OpenRMF^® Professional. And any overlays you add are combined with your tailored controls for a full view.

First, it determines the controls you will match against when generating system package compliance. If you specify the C-I-A levels only we use the default listing available from the NIST website. If you just pick one of the 4 FedRAMP levels or 3 StateRAMP^TM levels, we use the controls designated for that level as well. However, if you tailor them we match to the tailored list of major controls and subcontrols selected.

Second, it impacts the System Package Security Plan (SSP) Control to Vulnerability Matrix. This matrix lists every single control and subcontrol for your system package and then matches it to all checklist vulnerabilities across all your checklists. If this sounds like a lot, IT IS! This list can take you several weeks to match up by hand.

Even in OpenRMF^® Professional it can take a couple minutes to generate a MS Excel (*.XLSX) spreadsheet containing all the data. The controls listed in this matrix are either the default listing based on RMF C-I-A settings, FedRAMP levels, StateRAMP^TM or it is based on your tailored listing.