The U.S. Navy's Risk Management Framework (RMF) Campaign Plan defined the rules of engagement, requirements, functions and tasks across various stakeholders Navywide to ensure maximum acceleration in achieving the goal of transition from the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) to the DoD RMF by Dec. 31, 2020.
The plan, released in June 2019, was issued in the form of a U.S. Fleet Cyber Command/TENTH Fleet (FCC/C10F) operational order (OPORD 19-058), Operation TRITON BASTION (OTB), due to the need to speed the completion of the RMF transition as a way to more effectively protect the Navy's information, networks, and systems. It tasked Echelon II commands, system owners and special program offices to meet specific requirements in three objectives and eight lines of effort (LOE) in a three-phased approach.
“DoD RMF Instructions 8500 and 8510 set in motion an initial deadline for RMF transition by April 2018. Noting the urgency required, the formation of the RMF Campaign Plan focused the Navy’s efforts for transition no later than December 2020,” explained Ms. Teresa Duvall, Mission Integration Division Head, USFLTCYBERCOM Office of the Navy Authorizing Official (NAO), in an introductory OTB virtual Town Hall meeting in 2019.
Transition from DIACAP to RMF required completion of three objectives:
- Strengthen the Navy’s portion of the Department of Defense Information Network (DoDIN-Navy).
- Clean up the Navy's Enterprise Mission Assurance Support Service (eMASS) classified and unclassified repositories to reduce ambiguity and enhance visibility in the Navy’s IT portfolio. eMASS is the DoD-recommended tool for information system assessment and authorization.
- Achieve initial operating capability (IOC) of continuous monitoring (ConMon) across Navy enterprise networks for a real-time operational picture.
The first two objectives were led by Mr. Charles Hester, Director of the Fleet Cyber Command NAO and his team; the last objective was led by the Navy Cybersecurity Technical Authority, Naval Information Warfare Systems Command (NAVWAR). All efforts were heartily supported by cyber sentries across the Navy in the journey to ensure on-time transition.
The key mission imperative for OTB was to reduce the Commander’s uncertainty in the Navy’s cybersecurity risk and security control posture while concurrently meeting the statutory and policy requirements via a RMF cybersecurity focus throughout a system’s life cycle — aided by a common cybersecurity framework and improved cybersecurity readiness. As well, new acquisitions should be in alignment with DoD acquisition phasing and informed by RMF principles to ensure cyber readiness from initial concept.
To aid in the full RMF transition deployment objectives, the Office of the NAO, tiger teams and working groups created enduring processes; a Portfolio Management dashboard for Information System Security Managers (ISSM); a ConMon Implementation Guide and Roadmap; technical standards and artifacts, and conducted several pilots to evaluate the effectiveness and sufficiency of policies and tools. Teams achieved success by using RMF Bridge Conversion (RBC) Use Cases and assembling documentation for an Authorization to Operate (ATO) by the NAO or by decommissioning systems and applications that were obsolete or high risk.
On January. 19, 2021, Vice Adm. Ross Myers, Commander FCC/C10F, praised all those who worked to achieve RMF transition in the final OTB virtual Town Hall.
“At the end of the day, 100% of the Navy’s systems were transitioned to the Risk Management Framework before the end of 2020. That’s teamwork, that’s success, and I’m so very proud of all of you. My sincere thanks to all of you for making this a reality,” the Admiral said.
“Keys to the success of the campaign plan were several factors,” Ms. Duvall explained.
Early on, channels for communication and focus on a common goal at all levels were established. Tiger teams and working groups were empowered to assist in all phases of the transition, and an interactive portal with a dashboard, metrics, guidance and tools provided stakeholders with continuous support. Finally, and most importantly, senior level engagement from policy leaders such as the Deputy Chief of Naval Operations for Information Warfare (OPNAV N2N6) and DON Chief Information Officer, to the operationally focused FCC/C10F Commander, to the heads of Echelon I and II commands, encouraged and empowered their personnel to enthusiastically support the operation and to do their part in this massive team effort.
Ms. Duvall noted, “Every SYSCOM, Echelon I/II and Package Submitting officer provided a ‘heavy lift’ that ensured the Navy met the goal of 100% transition from DIACAP to RMF.” She highlighted the efforts of the groundbreaking work of the Naval Enterprise Networks (NEN) Program Office (PMW 205), the Navy’s technical team for the Navy-Marine Corps Intranet (NMCI), with going “above and beyond” in contributing to the NMCI plan’s overall effort to achieve full RMF.
Success required creative approaches to overcome tough challenges, Duvall said. Individuals, program offices and application owners collaborated with a geographically dispersed team across multiple time zones and sought solutions to constraints in resources (time, technical, people and funding), a lack of automation for processes / RMF automation — and associated problems caused by the COVID-19 pandemic.
While the Navy has successfully met OTB requirements, the full transition to RMF is an ongoing effort. For example, the primary benefit of RMF to cyberspace operations will only be seen when continuous monitoring of a system's security controls and cybersecurity posture are in place across the Navy’s enterprise networks and IT assets. Today, this capability and integration are not sufficiently mature, said Mr. Hester. Commands need to focus on continuing their systems’ maturity to achieve full RMF.
Teams are working on the continuation of OTB efforts through OPNAV RMF initiatives, such as eMASS record clean up and maintenance, formulating mature processes for enduring solutions, and ensuring that momentum to make the Navy's RMF processes more efficient and effective during OTB is maintained in ongoing Navy RMF Reform efforts led by DCNO N2N6.
RMF 2021 and Beyond
In September 2020, OPNAV and NAVWAR teamed up to advance RMF streamlining and to fast track reform processes across the Navy,” said Megan Cane, OPNAV N2N6D. She explained, “The team looked at work that was done by the warfare centers, OTB working groups, RMF Next, Cybersecurity Safety (CYBERSAFE), Quantitative Cybersecurity Risk Assessments (QCRA), and more. “The goal of the RMF Focus Team is to move fast while maintaining technical rigor and to release improvements to implement today and within the next year,” she said.
One of the pilots under OTB tested automated vulnerability and assessment data feeds to eMASS for a ConMon IOC solution via a prototype.
As result of the work accomplished under Objective 3, the following efficiencies were gained.
For IOC, the team conducted Continuous Diagnostics and Mitigation Integration Service (CDIS) Research, Development, Test & Evaluation (RDT&E) deployment of capability, analyzed end-to end test and contributed recommendations to ConMon technical standards and guidance; deployed a prototype IOC solution in RDT&E and connected end-to-end sensors to production systems; and completed eMASS via a web service API integration. In addition, the result of Objective 3 efforts and the associated team enabled the option in eMASS records for automated sensor data and Host Based Security System (HBSS) / Assured Compliance Assessment Solution (ACAS) publishers registered to CDIS and configured to publish.
Moving forward, the team, in collaboration with USFLTCYBERCOM, NAVWAR and OPNAV-led RMF Reform initiatives will assess the ConMon IOC solution and determine if they will facilitate and develop a Full Operational Capability (FOC) of a ConMon material solution that may be expanded for Navywide use. FOC will enable the Navy to increase automation in support of RMF and allow the Navy to advance toward a cyber-Common Operational Picture (COP), said Jesse Reyes, NAVWAR and Fleet Cyber Command OTB Objective 3 Lead for ConMon. The team has developed Navywide ConMon technical standards and guidance and included a ConMon Roadmap and System Requirements Document, which are being leveraged during several RMF Reform focus groups, to support ongoing assessment and authorization (A&A) for future use.
The RMF Reform Focus Team is taking both evolutionary and revolutionary approaches to ongoing RMF transition plans. Working groups are continuing to meet and completed work will be reviewed for recommendations for Navywide enhancements. The Navy will progress through degrees of RMF authorizations over time with the goal of streamlining the RMF process by identifying efficiencies, developing tools and advancing automation to improve the accuracy and timeliness of assessment and authorization.
Progressing from a Static to Ongoing Assessment and Authorization
Under DIACAP, the reauthorization cycle for a system or application was required at least every three years, which remains an options in RMF. The real goal for full implementation of RMF, however, is to reach a point where a system's security posture in the field is continuously monitored and maintained. With automation and data integration, a system can achieve an ongoing authorization that will not expire as long as ConMon continues to be sufficient, for example, as assessed during an Annual Security Review (ASR). To do this, overarching policy and technical solutions are needed, Ms. Duvall explained. She said there will be ongoing policy discussions with OPNAV and development of technical solutions to help the Navy to move to a process where networks and systems are continuously assessed and authorized.
“Ultimately, the Navy is moving towards the implementation of the Integrated Navy Operational Command and Control System (INOCCS), a system of systems for network operations that will allow warfighters to defend everything inside the network,” explained Mr. Manuel Hermosilla, Executive Director and CIO of FCC/C10F, during the 2020 AFCEA West.
“INOCCS will provide Fleet Cyber/U.S. 10th Fleet the capabilities it needs to operate, secure and effectively defend the enterprise with precision and accuracy, gaining a competitive edge over our adversaries,” Hermosilla said. “We’re building out the architecture and design for the INOCCS effort. Improved network and systems management, zero trust security and DevSecOps are all parts of the ongoing technology investment.”
Fully transitioning to RMF and reform are considered key enablers for the Department. DON CIO fully supports ongoing efforts to implement an agile RMF implementation to achieve the DON’s Information Superiority Vision (ISV) Strategic Initiatives for modernization, innovation, and defense for our networks and information.
Contributors to the success of Operation TRITON BASTION and RMF Campaign Plan included: Mr. Carl Rice (FCC NAO) , OTB Objective 1, 2 lead; Mr. Jesse Reyes (NAVWAR), OTB Objective 3 lead; Internal Operational Planning Team: Ms. Deniese Cobbins (FCC NAO), Mr. Ron Velasquez (FCC NAO), Mr. Carl Rice (FCC NAO), Mr. Neal Miller (FCC NAO);Mr. Charles Hester (FCC NAO Director), Program Manager Ms. Teresa Duvall (FCC NAO); Assistant PM, Ms. Angela Avanzo (FCC NAO); Deputy PM, Ms. Anishi Scott (NIWC-LANT).
Tiger Team leads included: Mr. Bill Denham (NAVWAR, Navy SCA), RMF Type Authorization; Ms. Dagmara Broadway (FCC NAO), RMF Transition Tiger Team; Mr. Ron Velasquez (FCC NAO), RMF IATT Tiger Team; Mr. Jesse Reyes (NAVWAR), ConMon Tiger Team and the Metrics Tiger Team (NAVWAR, FCC NAO).
Executive Team members included: Mr. Tony Plater (DON CIO); Rear Adm. Susan Bryer-Joyner (OPNAV N2N6); Ms. Brooke Zimmerman (OPNAV N2N6D); Capt. Vince Augelli (formerly of OPNAV N2N6D); Capt. Lee Vigue (OPNAV N2N6D); Lt. Cmdr. John Stuckey (formerly of N2N6D); Mr. Peter Kelley (formerly of OPNAV N2N6D); Ms. Megan Cane (OPNAV N2N6D); Mr. Stephen Gurley (NAVWAR); Ms. Sudha Vyas (formerly of NAVWAR); Mr. Bryan Dennie (NAVWAR), Mr. Bill Denham (NAVWAR, Navy SCA); Capt. R Russell Smith (FCC/C10F MOC-D); Mr Neal Miller (FCC NAO, formerly NAO Director); and Dr Charlie Kiriakou (formerly FCC NAO Director).
For more information, please see:
Operation TRITON BASTION: The RMF Campaign Plan
Onward Press to Risk Management Framework Authorization
CHIPS senior editor Sharon Anderson contributed to this report.