Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Preparing for a Risk Management Framework (RMF) authorization, what RMF controls does Splunk support?

markh_colorado
Engager
‎08-02-2016 10:37 AM

We are preparing for an RMF authorization in a few months. What controls does Splunk support?

Thanks.

Tags (2)
0 Karma
Reply

chaoslodge
Explorer
‎10-23-2017 12:14 PM

While I have not found anything that can be considered an exhaustive and authoritative list, I did find a July 2017 document from Splunk called "Splunk for RMF - Opererationalizing Continous Monitoring" I think you might have to contact whomever your Splunk rep is to get that. It has a list of controls that Splunk can help answer but is by no means complete from my own observation.

My team and I are currently expanding upon this list and mapping Splunk capabilities to controls. The process is a bit tedious as it involves going through each control family and making a decision about each. Your list of controls and how you handle them is subjective to your information system and its CIA as well as any sort of PII or classification overlays.

My methodology on this is to pull a control family at a time into a spread sheet with the CCI description, Implementation Guidance and Assessment Procedures all included in the row for each of the CCIs associated with the controls. I then go through them asking myself if Splunk has a direct, indirect or no role to play in meeting the requirements of that CCI. From there we have a punch list of items to use as requirements as we tune Splunk and create reports etc,... to meet them.

Reply

swagner1965
Path Finder
‎10-10-2018 08:26 AM

Following up. This has worked really well for us. I am now in the process of running down evidentiary artifacts in the form of either reports or creating searches to show auditors. .conf files and the stanzas inside of them are one of the things we are looking at to show our configurations are inline with the RMF controls.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...