I have a Stand Alone system that has its own ATO / RMF package. This system has never been used, yet in compliance with controls, I have been maintaining this thing, taking backups of nothingness every 7 days to be compliant but this means the only time the HDD comes out of the safe is for backups/updates. It feels silly. I’ll more times than not put the drive in the safe after a backup , the next time I’ll take it out is to back it up again. Funny, but required by my documents technically.

I would like to declare this system dormant i.e. forgoing certain maintenance (backups specifically) on the system during times of extended non-use >90 days or so. Obviously I still apply stigs and virus definitions but it’s not currently, nor can it ever be capable of network connectivity so once again, kind of a silly process but I get that one at least. It’s been 3 years since it’s been needed so it’s been through about 4 solid works versions and license renewals without ever being used. Also I’m the only current user on it and the the only one of 2 admins with accounts that’s ever touched it.

So if I want this stipulation, where can I slip it into my A&A docs? Has anyone done something like this before to mitigate silly processes mandated by controls? I can’t just N/A them because what if we DO become operational.