Email this Article Email   

CHIPS Articles: Air Force revolutionizes cybersecurity risk management ensuring mission assurance

Air Force revolutionizes cybersecurity risk management ensuring mission assurance
By Lt. Col. Stephen Esposito, Secretary of the Air Force Chief Information Office - March 9, 2017
WASHINGTON (AFNS) -- The Air Force Chief Information Security Office continues to lead massive change to the way the entire service manages cybersecurity and risk across the five core missions.

The latest innovation is the roll-out of the completely redesigned Risk Management Framework – the formal policies and processes designed to empower Airmen to assess, manage and validate the cybersecurity risks of the tools and systems they operate, from computer programs to major weapons platforms. The new policy realigns the approval processes necessary to certify cyber tools and systems away from singular authority to a functionally aligned model.

This transformation places the risk decision where it belongs: with the experts utilizing those systems and tools to get the mission done. The policy adjustment also moves the Air Force from the antiquated compliance mandates to true risk awareness, mitigation and mission assurance.

The Air Force codified RMF in Air Force Instruction 17-101, “Risk Management Framework for Air Force Information Technology.”

"This policy is the first of my initiatives that hardens cybersecurity, protects the Air Force's key cyber terrain, and reduces the cyber threat footprint,” said Pete Kim, the chief information security officer.

The new process also adds clarification to the wide array of tools that fit under the cyberspace umbrella. No longer is the sole thought process about what constitutes a cyber system centered on the desktop computer and the network it connects to. As innovation drives formerly inert equipment to “smart” internet-enabled devices in an exponential way, so does the growth of the threat landscape expand exponentially.

This growth includes pieces of mission-critical and mission support programs from fighter aircraft to building's heating and cooling units. Formalization of a standard governance framework for cross-functional engagement is another key piece of the new policy enabling a truly integrated decision-making process.

The new framework decentralizes the risk assessment and authorization to authorizing officials with a defined cyber area of responsibility delegated by the Air Force chief information officer, Lt. Gen. William Bender. The Air Force has AOs assigned to key mission and functional areas from aircraft and weapons systems to logistics and finance.

This, combined with the vast functional area knowledge, allows the AO to compare the system's cybersecurity risk to the system's mission capability to authorize operations within cyberspace. The cyber threats may grow larger every day as more devices become internet enabled, but the Air Force's policy implements a framework that minimizes the threat landscape to mission assurance, making every Airman capable to fly, fight and win in air, space and cyberspace.

For more information about the U.S. Air Force, visit Air Force News Service: http://www.af.mil/News.aspx

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy
CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988