Department of Navy (DON) cyber-sentries from across the major systems commands participated in a second Town Hall presentation in August to collaborate and set the plans in motion supporting the Navy’s RMF Campaign Plan. The plan defines the rules of engagement, requirements, functions and tasks across various stakeholders Navywide to ensure maximum acceleration to achieve the DON goal of complete transition from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF) by Dec. 31, 2020.
The plan, released in June, is in the form of an U.S. Fleet Cyber Command/TENTH Fleet (FCC/C10F) operational order (OPORD), Operation Triton Bastion, due to the need to speed the completion of the RMF transition. It tasks Echelon II commands, system owners and special program offices to meet specific requirements in three stages of execution. It’s an ambitious plan, but one that is now required, said Teresa Duvall, U.S. Fleet Cyber Command Office of the Navy Authorizing Official, Mission Integration Division Head and Project Manager for Operation Triton Bastion.
The plan, in OPORD format, detailing the purpose, method, and end-state, was given to Vice Adm. Timothy “T.J.” White, commander, FCC/C10F, in April for his endorsement, and underwent several rigorous reviews by the Echelon II commands, SYSCOMs, special program offices, fleet commanders and the FCC/C10F Maritime Operation Center Chiefs for their buy-in, Duvall explained. OPNAV, DON Chief Information Officer, Naval Information Warfare Systems Command, Navy Security Control Assessor (SCA), FCC/C10F N3/5 (Operations), and the C10F Battle Watch were heavily involved, she said.
DoD RMF Instructions 8500 and 8510 set in motion an initial deadline for RMF transition by April 2018. Navy began transition but progress was not sufficient to meet the transition deadline. Navy then set focus for December 2020. Yet, when Vice Adm. White assessed the Navy’s transition progress, it was clear that without significant action, the Navy would not meet the RMF December 2020 deadline.
“When it comes to setting the Navy's cyberspace theater, our Navy Authorizing Official (NAO) provides us the first look into our cybersecurity posture, and our Office of Compliance and Assessment (OCA) ensures that the first look is accurate,” White wrote.
The campaign “sets the theater” by aligning the Navy with DoD policy and processes, using a common risk lexicon, and implementing continuous monitoring to be better positioned to understand and manage cybersecurity risk.
The August Town Hall meeting provided additional guidance and a progress report that illustrated the Phase 1 actions completed to date. While progress varies across commands, Package Submitting Officers (PSOs) provided 33 percent of required RMF Transition Plan of Action & Milestones (POA&M) submissions. The deadline for Phase 1 actions, initially scheduled for Aug. 31, was extended to Sept. 30 2019, via a fragmentary order (FRAGO), to give commands and stakeholders additional time.
Per the OPORD, various Tiger Teams are chartered to develop and implement RMF process improvements, as required, to assist stakeholders with initial RMF transition and follow-on activities.
Carl Rice, acting NAO Assessment and Authorization (A&A) Process Improvement Division Head, is the lead for the RMF Enhancement Operational Planning teams.
RMF Cybersecurity Goals – Commander’s Intent
The aim of Operation Triton Bastion is to reduce the Commander’s uncertainty in the Navy’s cybersecurity risk and security control posture while concurrently meeting the statutory and policy requirements for Risk Management Framework transition via a RMF cybersecurity focus throughout a system’s life cycle — aided by a common cybersecurity framework and improved cybersecurity readiness. New acquisitions should be in alignment with DoD acquisition phasing and informed by the RMF to ensure cyber readiness from the start.
Cybersecurity integration will result in more dependable and resilient trustworthy systems that will significantly increase the DON’s ability to protect, detect, react, and restore system operability, even when under attack from a capable cyber-adversary, Duvall explained.
Operation Triton Bastion directs the Navy to achieve three objectives and eight lines of effort (LOEs) in three stages to accomplish RMF transition: plan, execute transition, validate and assess. The end-state occurs when all Navy systems and applications have transitioned to RMF by Dec. 31, 2020. This project concludes with the Initial Operational Capability (IOC) of the continuous monitoring (ConMon) stage with an approved standard and materiel solution that will be expanded for Navywide use.
ConMon will initially be implemented via manual operations and ultimately through automation to achieve a capability to generate near-real time local and enterprise IS readiness status that adds to the
Commander’s enterprise cybersecurity common operational picture. ConMon will enable a shift from a reactive to anticipatory cybersecurity activity and defense posture.
Sudha Vyas, with the Navy’s Cybersecurity Technical Authority, is the lead for the technical standards and guidance for implementing ConMon that Echelon IIs and subordinate commands will feed into in order to provide a single cybersecurity operational picture at Full Operational Capability (FOC) with primary goals of continuous assessment and continuous authorization, Duvall explained.
One contributing source of delay to full RMF transition has been Echelon II stakeholder management of their respective Enterprise Mission Assurance Support Service (eMASS) area of responsibility, Duvall noted.
eMASS, a Defense Information Systems Agency (DISA) A&A workflow and document repository, is the DoD-recommended tool for information system assessment and authorization. Due to the lack of data maintenance by eMASS users, eMASS’ inability to generate accurate authorization records affects the accuracy of the DoD’s Cybersecurity Scorecard.
Over the years, system owners have been inconsistent in updating their records, Duvall said. For example, expired accreditations/authorizations, duplicate entries, orphaned system registrations, and improperly identified authorizations coexist with properly authorized packages.
Manuel Hermosilla, Executive Director, Fleet Cyber Command/C10F, serves as the champion for the RMF Campaign Plan. “Understanding and knowing our DoDIN-Navy is a must do in order to Command and Control (C2), operate, defend, configure, and maneuver in and throughout CYBERSPACE.” ... “If you don’t know what you have to operate then how can you know what you actually have to defend?” Hermosilla wrote.
Navy implemented new eMASS workflows that align with the RMF process. The workflows feed a dashboard that provides better insight into where systems and packages are in the RMF process, and enables more accurate process metrics, Duvall explained.
In sum, the six Assessment and Authorization (A&A) eMASS lifecycle workflows are aligned with and accomplish discrete RMF steps. The A&A workflow also accommodates additional eMASS steps for high-risk escalation systems. There are additional “out of cycle” eMASS workflows developed to assist the workforce in various RMF tasks. The Risk Assessment Workflow is designed to perform out of cycle risk assessments such as inspections results, Command Cyber Operational Readiness Inspections (CCORI)), annual reviews, and continuous monitoring of security controls, called the RMF Monitor Cycle. The RMF Bridge Conversion (RBC) workflows are updated and align with a new paradigm for processing RBC packages.
The Assess Only workflow will still only be available for Navy Functional Authorizing Officials (FAO) /SYSCOM Platform IT (FAO/System Commands PIT). Working groups were instrumental in these workflow improvements, Duvall said.
The eMASS User’s Guide will provide stakeholders a clear understanding of how eMASS can assist in their efforts. Job Aids, located on the NAO RMF Portal, provide detailed instructions on how to complete a particular eMASS workflow to include identifying roles and responsibilities.
Workflow changes will be available incrementally, Duvall said. The team defined the eMASS enhancements needed and were required to submit Configuration Control Board (CCB) requests because eMASS is a DISA system. The teams are working with DISA to focus on the eMASS CCBs and on a plan for continued maintenance.
The RMF Transition Tiger Team (RT3), led by Deniese Cobbins, Assessment and Authorization Sustainment Division Head, Fleet Cyber Command, are focused on (1) eMASS record cleanup for expiring, expired, DATO/Decommission systems and circuits; and (2) Monitoring action dates and progress for RBC and/or full RMF transitions.
The team began facilitating biweekly scheduled coordination meetings in the third week of September with all affected Echelon I and II organizations at the Action Officer level to report changes in the status of open action items and highlight RMF transition barriers and projections for successful completion of tasks.
“Accomplishing the objectives and lines of effort will require a Navywide focus. The Navy is counting on Echelon IIs and system owners to take responsibility, accountability and authority to move the campaign forward and meet the Navy’s goal to transition to RMF by December 2020,” Cobbins said.
Duvall pointed to the Secretary of the Navy Cybersecurity Readiness Review, which was critical of the DON’s cybersecurity posture, as an additional factor in encouraging commands to implement the RMF Campaign Plan as soon as possible.
Recommendations in the review specifically address policy, processes, and resources needed to enhance cyber defense and increase resiliency. Secretary of the Navy Richard V. Spencer directed the department to close the gaps in cyber readiness with a sense of urgency. The review team referred to the vulnerabilities as an “existential threat” to national security.
To assist commands in the effort, FCC/C10F centralized RMF resources, including a dashboard, allowing data visualization, automated tools, briefs, supporting documentation and data call information. The dashboard is generated by Tableau® business intelligence and analytics software. Tableau is an interactive data tool that simplifies raw data into an easily understandable format. The Tableau desktop reader allows stakeholders to drill down into their specific metrics on the dashboard.
For those with a Common Access Card (CAC), the Fleet Cyber Command NAO Portal is the site for information on the RMF Campaign Plan, Operation Triton Bastion, and to view and access the dashboard.
Metrics are updated biweekly so accurate reporting by stakeholders is key for operational control of the processes that will lead to success. Progress will be very clear to leadership as the number of DIACAP packages decrease and the number of RMF packages increase, Duvall said, as the Navy Executive Operational Planning Team assesses performance.
Work is continuing on improvements to dashboard functionality. Duvall reported in August that 60 percent of the improvements were completed.
FCC/C10F Navy Authorizing Official Role
FCC/C10F, via the Navy Authorizing Official, is the supported commander. NAO will lead and facilitate Stage 1 (Planning) to achieve all objectives. Planning will also identify lead points of contact and stakeholder groups tasked to complete all lines of effort (shown above at right) in support of their respective objectives. Under the new plan, the NAO will work to break down the barriers for Echelon II commands and system owners that have held them back from transition progress in the past. Although RMF transition will not be easy, the NAO will help facilitate processes with the tools that were developed and expertise from the working groups, Duvall explained.
The NAO will:
- Report Stage 1 status biweekly to the FCC/C10F Executive Director.
- Lead status tracking during Stage 2 of LOEs progress and stakeholder transition to RMF, using metrics derived from eMASS.
- Lead RMF Transition Tiger Team in support of DIACAP to RMF transition.
- Report Stage 2 status monthly (and at shorter periodicity as required) to the Executive Director and MOC Chiefs using the FCC Battle Rhythm.
- Co-lead RMF metrics development. Promulgate transition metrics on a biweekly basis.
- Support ConMon development and implementation.
- Support RMF Type Authorization Tiger Team.
- Validate and assess transition (project management) of Objectives/LOEs and reporting during Stage 3.
FAOs will report metrics that fall under their cognizance directly to the Deputy Chief of Naval Operations for Information Warfare (OPNAV N2N6), who will closely track progress along with the NAO, Duvall said.
Navy Echelon II Commands Tasking
- Prioritize resources for RMF efforts for information systems (IS) within their portfolios.
- Complete RMF transition plan via template provided on the NAO SharePoint Portal.
- Drive tasking to complete RMF transition for ISs within their portfolio under NAO purview.
- Direct and synchronize subordinate system owner organizations/ stakeholders and roles of RMF responsibility to prioritize efforts and resources to support completing the objectives of this OPORD.
- Present latest executive status summary brief pertaining to the progression of RMF transition at biweekly meetings. Template will be available on the NAO portal.
- Participate as a member of the auxiliary Operational Planning Team (OPT) as requested.
- Develop internal processes to maintain organizational eMASS records, per Objective 2, eMASS clean up and maintenance.
- Be prepared to direct and synchronize system owners/stakeholders to transition systems and networks that provide inheritable security controls to child systems or applications to expedite transition to full RMF.
Dr. Charles Kiriakou, FCC/C10F NAO Director, urged Echelon IIs and system owners to update their Security Plans (SP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M). It is critical to synchronize with sub-system owners and other stakeholders while formulating plans, he advised. Milestone dates are very important for accurate tracking which were a problem in the past. Commands can track progress using a tasker spreadsheet that will be available on the NAO portal; instructions for the spreadsheet are forthcoming, he said.
The NAO will be drawing metrics from eMASS and the Echelon II RMF Transition POA&Ms and is working on ways to improve the reporting process.
RMF Bridge Conversion (RBC) Use Cases
The NAO is assisting with fast-tracking transitions by issuing RBC Use Cases via the RMF Process Guide (RPG), said Charles Hester, Deputy NAO. In August, the NAO reported that six Use Cases were released thus far. The RMF Bridge conversion (RBC) provides six “off-ramps” to support the RMF Campaign Plan Objective 1, Hester explained. The best option is to move to full RMF and never to have to use the “RMF off ramps.”
These fast-track RMF Bridge Conversions were developed to establish a security baseline for an information system in RMF with intent for the full RMF review to be completed in subsequent RMF authorization iterations. Ron Velasquez, Operations Division Head for NAO, advised that elements of the RBC Use Cases may be useful as standard RMF best practices in the future but further analyses is needed.
“A key point is the NAO community is not just tracking RMF transition, we are helping everyone get there by developing and publishing RMF improvements. We are giving our stakeholders tools to transition to RMF,” Hester said, “including Security Control Profiles commands can follow.”
Specific guidance, per the FRAGO, is that DIACAP Interim/Authorizations to Operate will not be issued after Sept. 30, 2019. Additionally, DIACAP Interim Authorizations to Test (IATT) will not be issued after Dec. 31, 2019. Dr Kiriakou said it best, “Once in RMF, you can’t go back [to DIACAP].”
Security Control Inheritance
In a candid discussion after the first Town Hall meeting, several Echelon II and special program representatives raised concerns about the length of the transition process for systems already approved under DIACAP. They said to achieve ATO under RMF; they must be able to use security control inheritance for many of their systems and programs.
The Committee on National Security Systems (CNSSI No. 4009) defines Security Control Inheritance as “a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application.”
While the Navy does have a process for using security control inheritance it does not go far enough to address all Use Cases some representatives said.
The NAO is looking to improve the inheritance model by leveraging best practices from across the government.
For example, the DON CIO is in discussions with Air Force CIO representatives regarding their implementation and lessons learned with RMF, said Tony Plater, DON CIO Director for Cybersecurity and Privacy. He gave an example of how the Air Force’s streamlined processes might work for sub-systems, but so far, the DON CIO has not found a streamlined process that would apply enterprise-wide for the Navy, Plater said.
“We are trying to leverage all our contacts [in the military departments]. We have talked with Kevin Dulany (Chief, Risk Management Framework Division; DoD CIO/DCIO-CS). At the DoD CIO level, they are trying to assess where everyone is [in transition]. They want to make sure that everyone is meeting the overall intent. They are looking to update and strengthen DoDI 8510.01 (RMF for DoD IT). There have been discussions about continuous re-authorizations and what the steps are for the department to get there,” Plater said.
One way to re-authorization is through continuous monitoring. DoD is examining this method because it will speed the ATO process, but continuous monitoring is not defined the same way by all agencies within the department, Plater explained. “The DoD is narrowing the focus to move the department forward,” he said.
The DON CIO, along with the NAO community, is also investigating how the Department of Homeland Security implements the Risk Management Framework and the DHS Continuous Diagnostics and Mitigation program.
Navy Working Groups are meeting to continue to refine processes and smooth RMF transition, Duvall said.
The NAO portal is hosted by U.S. Fleet Cyber Command/U.S. 10th Fleet: https://usff.navy.deps.mil/sites/fcc-c10f/NAO/SitePages/RMF%20Campaign%20Plan.aspx.
The Office of the Navy Authorizing Official contributed to this report.