Preparing for a Risk Management Framework (RMF) authorization, what RMF controls does Splunk support?

We are preparing for an RMF authorization in a few months. What controls does Splunk support?


Tags (2)
0 Karma


While I have not found anything that can be considered an exhaustive and authoritative list, I did find a July 2017 document from Splunk called "Splunk for RMF - Opererationalizing Continous Monitoring" I think you might have to contact whomever your Splunk rep is to get that. It has a list of controls that Splunk can help answer but is by no means complete from my own observation.

My team and I are currently expanding upon this list and mapping Splunk capabilities to controls. The process is a bit tedious as it involves going through each control family and making a decision about each. Your list of controls and how you handle them is subjective to your information system and its CIA as well as any sort of PII or classification overlays.

My methodology on this is to pull a control family at a time into a spread sheet with the CCI description, Implementation Guidance and Assessment Procedures all included in the row for each of the CCIs associated with the controls. I then go through them asking myself if Splunk has a direct, indirect or no role to play in meeting the requirements of that CCI. From there we have a punch list of items to use as requirements as we tune Splunk and create reports etc,... to meet them.

Path Finder

Following up. This has worked really well for us. I am now in the process of running down evidentiary artifacts in the form of either reports or creating searches to show auditors. .conf files and the stanzas inside of them are one of the things we are looking at to show our configurations are inline with the RMF controls.

0 Karma