Tenacity practices the NIST Risk Management Framework (RMF) to conduct C&A testing and analysis. The six-stage Risk Management Framework matches Tenacity's engagement exactly. Tenacity will produce artifacts for the C&A method used by your agency be it NIST, DoD 8500, and/or Director of Central Intelligence Directive (DCID) 6/3 but will frame the engagement to the RMF. The RMF stages are: Categorization, Selection, Implementation, Assessment, Authorization, and Monitoring.
The Requirements and Design stages of IT System Development correspond to the RMF Categorization and Selection stages. Tenacity will familiarize the customer with the RMF method and gain an understanding of the system to be accredited. Tenacity will then conduct a System Categorization and Selection exercise the outcome of which defines the Impact Level designation of the system and its resulting tailored control set (Protection Profile). Tenacity engineers will work with the system developers, integrators, and sponsoring customer to choose the specific security features from the governing catalogs. Once the applicable security features are identified, Tenacity will work with the customer to identify the design for implementing each security feature. The output of this exercise will be a Memorandum for the Record (MFR) outlining the System, its protection profile, and the list of security features and designs for each in a Security Requirements Traceability Matrix (SRTM). The customer can submit this MFR to its sponsoring agency's C&A process for approval. Tenacity engineers will remain engaged until this design is approved.
The Development stage of IT System Development corresponds to the RMF stage Implementation. There is no formal role for C&A during this stage other than to ensure that the ultimate development follows the proposed design. Tenacity will retain engineers familiar to the IT System on call to support any design changes or answer questions about specific implementations.The Test stage of IT System Development corresponds to the RMF stages Assess and Authorize. Tenacity will review system test plans and procedures to ensure that security features identified in the SRTM have been properly implemented. Tenacity will prepare the System Security Plan (SSP) reflecting the "as-built" design of the security features. Tenacity will then conduct, in concert with the customer, security relevant system tests. At the conclusion of the tests, Tenacity will prepare a recommendation for accreditation including the SSP and the results of the security testing. The formal accreditation is a step reserved for the government sponsor of the system. However, the accreditation recommendation report will provide all information needed by the accreditation authority to make a fully informed decision. Tenacity will provide up to a month of direct support to customer and sponsor meetings to address questions or issues with the report.
The O&M stage of IT System Development corresponds to the RMF stage of Continuous Monitoring. Tenacity can develop continuous monitoring plans for any system, can conduct continuous monitoring on customer site, or simple remain on-call to support security relevant issues that arise.