”FCC/C10F and executive stakeholders (Office of the CIO, OPNAV N2N6, FCC/C10F, NAVWAR Cybersecurity Technical Authority, and Navy Security Control Assessor) have not slowed down the execution of OPORD 19-058/ Operation Triton Bastion. We will continue tracking bi-weekly with our customers – amidst the teleworking and associated latency issues. Stay Safe and lets work together to meet the mission goals.”
~ Dr. Charles Kiriakou (Dr. “K”), Navy Authorizing Official, U.S. Fleet Cyber Command/TENTH Fleet
Cyber-sentries from across the Navy continue to make headway on the Navy’s transition from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF) by the Dec. 31, 2020 deadline.
The U.S. Navy's transition policy has been set since 2017. In August 2019, U.S. Fleet Cyber Command/U.S. TENTH FLEET issued an operational order for Operation TRITON BASTION to emphasize the need to complete RMF transition on time and to bring the Navy into alignment with current and emerging technology. The OPORD tasks Echelon II commands, system owners, and special program offices to meet specific requirements in three objectives and eight lines of effort (LOEs) in three phases to accomplish the RMF transition: plan, execute transition, validate and assess. (See Figure 1 at right.)
Much progress has been made since the OTB launch but there are still miles to go with the overall rate of transition standing at 51.17% as of April 23, said Teresa Duvall, U.S. Fleet Cyber Command Office of the Navy Authorizing Official (NAO), Mission Integration Division Head and project manager for Operation Triton Bastion, in a virtual Town Hall.
Among the limiting factors to transition is the cultural shift for the Navy in recognizing that cybersecurity is “commander’s business” and not a back office function for the IT shop.
The other primary cause for delay is lack of automation and ongoing clean-up of the Enterprise Mission Assurance Support Service (eMASS), the DoD authoritative data base.
eMASS is the Defense Information Systems Agency (DISA) Approval and Accreditation workflow and document repository, and the DoD-recommended tool for information system assessment and authorization. Over the years, system owners have been inconsistent in updating their records. For example, expired accreditations/authorizations, duplicate entries, orphaned system registrations, and improperly identified authorizations coexist with properly authorized packages. eMASS resolution and other processes largely require touch labor and can bog down transition progress to RMF significantly.
Leading the Charge
Duvall moderated a panel consisting of the NAO team and project managers who reported progress, provided encouragement and promoted the use of tools and metrics available on the RMF portal to facilitate transition to which all Navy stakeholders have pledged support.
The expansion of telework and new ways of doing business within the Defense Department due to the COVID-19 pandemic have provided an opportunity for adversaries to adapt their attack methods to this new operational paradigm, said Fleet Cyber Command NAO Director, Dr. Charles Kiriakou. He pointed to a memo issued by the DoD Chief Information Officer (Authorized Telework Capabilities and Guidance) and urged the Navy’s cybersecurity team not to let their guard down regarding the cyber threats to DON IT networks and resources. This cautionary reminder is directly from DoD leadership and Gen. Paul Nakasone, Commander, U.S. Cyber Command, and Vice Adm. Timothy "T.J." White, Commander, FCC/C10F, Dr. Kiriakou said.
“During this time, cybersecurity is mission essential. While you are meeting the demands for increased telework, don’t let your Authority To Operate expire as the Navy continues to evaluate and approve ATOs,” Dr. Kiriakou said.
Navy Cybersecurity Status
Noting the challenges of working under COVID-19 limitations, Capt. BryerJoyner said the Navy can’t afford to wait any longer for RMF authorizations.
“The RMF transition is not just a bureaucratic process,” BryerJoyner said. “The authorizations resulting from the Risk Management Framework are all about assessing the level of risk these systems are bringing to the DoDIN-N (DoD Information Network for Navy) and the level of risk to the missions being supported by the systems. It’s why I need you to remember, what we do is so very important to helping all Commanders across the board understand the risk they are accepting when we operate these systems.”
The captain urged the Navy cybersecurity team to report any impediments to RMF transition through their chain of command.
“We shouldn’t wait until the last minute because everybody hopes they would be able to work through the obstacles. I ask for your support in that particular area. If you think there is going to be an issue, please elevate it up your chain of command and simultaneously keep the Navy Security Control Assessor (SCA) and NAO informed.”
"Cybersecurity remains a mission essential function during COVID-19. Consequently, I do not anticipate OPNAV N2N6 approving any DIACAP waivers after December 2020. We can't afford to delay this critical transition any longer."
~ Captain Susan BryerJoyner, Cybersecurity Branch Director (OPNAV N2N6G5)
The captain’s team is working on multiple efforts to achieve RMF reform.
“The first pillar of RMF reform is fixing what is broken today,” BryerJoyner said. “We have many systems that are chronically in high-risk escalation so we are taking a strategic pause to examine those systems and identify an exit strategy. We are also in the process of revising the HRE process to do a better job assessing risk.
The second pillar intends to improve the process we have today. It has three lines of effort including policy and process updates to remove unnecessary steps. The second line of effort is workforce development. Essentially, what we have recognized is that we have a good certification and training process for validators, but we don’t provide that level of support to the other RMF roles. So we are identifying the knowledge, skills and abilities needed and, existing courses to leverage so we can determine the deltas and help improve the consistency of the knowledge base across the Navy,” BryerJoyner said.
The third line of effort under RMF streamlining, which kicked off in January, revolves around identifying efficiencies, developing tools and advancing automation to improve the accuracy and timeliness of assessment and authorization.
“The third pillar of RMF Reform is something I am calling ‘RMF Next’ because the way we have implemented RMF in the Navy today is probably not the best way to asses risk. The question is how do we get to a point where we are able to assess risk continuously and that gets into continuous monitoring. As for assessing risk, do we have the right risk methodology because right now what we are using doesn’t allow us to aggregate risk for a system of systems. It is not suited for that level of analysis,” BryerJoyner said.
The captain explained Lt. Cmdr. John Stuckey is leading a quantitative cyber-risk assessment study to identify a methodology that might be more appropriate for assessing risk throughout a system lifecycle — not just during RMF accreditation. This will allow Cyber Operational Readiness Inspections (CCORI) and other forms of risk assessments, like Red Team exercises, to leverage the process and combine them into a comprehensive plan.
High Risk Escalation Stand Down and Strategic Pause
Due to the high number of high-risk applications and systems still operating throughout the Navy, OPNAV N2N6 spearheaded a Stand Down/Strategic Pause in coordination with the Navy Security Control Assessor, FCC/C10F NAO, and DON CIO to focus Navy programs posing long-term high risk and senior leadership on this critical area. Programmatic reviews of high-risk systems and applications kicked off April 28th and will cycle through three leadership tiers, said Deniese Cobbins, Assessment and Authorization Sustainment Division Head, Fleet Cyber Command.
Both Cobbins and Carl Rice, RMF Transformation Division Head FCC/C10F, and Objective 1 and Objective 2 lead, said a portion of the HRE portfolio is undergoing review with an additional level of scrutiny. The idea is to identify a course of action for system owners to either reduce risk or eliminate high-risk systems, report recurring challenges, and develop an exit strategy.
During the stand down/strategic pause, selected high-risk programs will walk through an in-depth programmatic review and cycle through three leadership tiers. First tier is O-6/GS-15 programmatic review, which supports the programs in shaping their commitments to courses of action and the development of the fully resourced POA&Ms to achieve acceptable levels of risk and exit High Risk Review. Second tier is at the 1*/2* level for concurrence on achievable courses of action or to direct alternate courses. Third tier is at the 3* level for FCC/C10F decision to determine if risk to the DoDIN-N is acceptable or a joint FCC/C10F and OPNAV endorsement to DON CIO for final approval for system owners to maintain operations,” said Cobbins.
To assist in the process, tools are being added and a new governance structure is being established which aligns with the CNO’s vision for making cybersecurity a key part of commander’s business, Cobbins said. Updated Echelon I guidance is also forthcoming.
The expectation is an all hands on deck approach for success, and most importantly, “Improved Cyber Readiness” — in line with the CNO’s vision.
A question was asked if the Navy had set a threshold for the number of high-risk systems that would be allowed to operate, for example, only 5% for the entire Navy information systems portfolio.
Capt. BryerJoyner responded that although there is a process to request high-risk approval from the DON CIO, the Navy is not setting any arbitrary numbers.
“My goal is zero systems in HRE and that is what I placed on the N2N6 monthly dashboard because ultimately we need to get there. There are a couple of impediments. First, I don’t think we are measuring risk properly. I think we have systems in high-risk escalation that probably don’t need to be there. We’ve also had systems in high risk escalation that will never leave that [designation] because of resourcing decisions,” BryerJoyner said.
“Finally, other than to set progressive standards that drive our numbers down, I don’t know that we want to set something at the satisfactory level because part of the risk is determined by the CIA (confidentiality, integrity, and availability). Some systems may never be lower than moderate risk. I don’t know that we want to arbitrarily set a percentage of our portfolios to a certain level of risk,” the captain said.
Tools, Training & Assistance
In addition to senior level assistance, the RMF Transition Tiger Team (RT3) is deployed to engage with Echelon I and II system owners on their transition efforts to RMF, with a focus on eMASS record cleanup for expiring, expired systems, Denial of Authorization (DATO)/Decommission, and other record correction actions.
The RT3 monitors action dates and progress for RMF Bridge Conversion Use Cases and/or Full RMF transition. The RT3 tracks progress to achieve milestones in accordance with RMF transition timelines, identifies potential challenges hindering RMF transition and provides NAO assistance. Meeting minutes, action items, and biweekly schedules are posted to the RT3 OTB portal. There are multiple views and filters to customize charts for data analysis and visibility into project tasks along each command’s Plan of Action and Milestones (POA&Ms).
The NAO2 Operations office is eager to support Package Submitting Offices (PSOs) in meeting their RMF goals, said Charles Hester, Deputy NAO. The PSO should be the focal point for prioritization, scheduling, and de-conflicting external issues with the program management office (PMO) before sending a RMF package to the NAO, he said, since rework is the No. 1 cause of transition delays. To avoid rework and conserve resources, the PSO and PMOs should coordinate priorities in a deliberate fashion, he advised.
Executing aily good cyber hygiene is critical to the Navy’s mission and will also help in meeting the RMF transition deadline, Hester explained. “A goal for all of us is to give Fleet Cyber Command, the Operational Commander, the Directive Authority for Cyberspace Operations, or DACO, Admiral White, who is over all Navy networks, increased focus on the intelligence-driven threat which is the balance between risk and network operations,” he said.
Continuous Monitoring, Tools & Automation
The ultimate goal once the RMF transition is completed will be to automate as much of the Assessment and Authorization process as possible. The automation leverages technical guidelines from the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) program, explained Jesse Reyes, Naval Information Warfare Systems Command (NAVWAR) and Fleet Cyber Command Operation Triton Bastion Objective 3 Lead for Continuous Monitoring (CONMON).
The aim is to facilitate and develop an Initial Operational Capability (IOC) of a CONMON material solution that may be expanded for Navywide use. IOC will enable the Navy to increase automation in support of RMF and allow the Navy to advance toward a cyber Common Operational Picture (COP), Reyes said.
The team is developing and promulgating Navywide CONMON technical standards and guidance. The CONMON Roadmap and System Requirements document are in their final review process, with the team now focusing on developing implementation guidance for Ongoing Assessment and Authorization for future use.
Cross SYSCOM/Stakeholder Collaboration
To create a unity of effort and share best of breed solutions, systems commands and stakeholders hold a biweekly working group meeting to leverage existing tools and evaluate technical controls. Members evaluate future tools for enhanced correlation and develop technical standards and guidance to standardize methodology for manual controls.
Pilot efforts are underway to: (a) test technical capability; (b) refine processes; (c) feed implementation guidance development; and (d) identify gaps to be performed via manual processes.
The Navy is in Phase 2, execute phase of the Operation Triton Bastion - RMF transition plan, Duvall explained. In this phase, the stakeholders are conducting RMF transition and enabling activities. Phase 3, the Validate and Assess phase, will begin on 1 September and ends by 31 December 2020, she said.
In this phase, the stakeholders, led by NAO, will validate that the three Objectives and eight LOEs are completed. Results will also be documented and reported to the Commander, Vice Adm. White, on a more frequent basis.
The work is tough, but great progress has been made with nearly 100% participation and valuable feedback being shared among commands, stakeholders and system owners.
The entire Navy team, consisting of leadership from DON CIO, OPNAV, FCC/C10F, NAVWAR, stakeholders and the fleet remain focused on the end game.
Because, as Duvall said, as of April 23, it’s only eight months, one week and two days to the RMF Dec. 31, 2020 transition deadline.
And, as Hester notes, “get ‘er done!”
Editor’s Note: Special thanks to the office of the Navy Authorizing Official, U.S. Fleet Cyber Command/TENTH Fleet; the FCC/10F public affairs officer; Capt. Susan BryerJoyner, Cybersecurity Branch Director (OPNAV N2N6G5) and her team; and the OPNAVN2N6 public affairs officer for their contributions to this article.