Email this Article Email   

CHIPS Articles: Building a Highly Skilled Risk Management Framework Validator Workforce

Building a Highly Skilled Risk Management Framework Validator Workforce
By Paul Hilton and Dwight Taylor - July-September 2017
The Department of Defense is transitioning from the legacy Defense Information Assurance Certification and Accreditation Process to the Risk Management Framework process. For the Navy, this transition is much more than a process change. By leveraging the Navy’s technical authority processes, the focus shifts from DIACAP’s vulnerability-based assessment to the RMF’s risk-based assessment.

The Navy’s validator workforce will need enhanced skills and technical data to make this transition. As the Navy’s Information Assurance Technical Authority (IA TA), the Space and Naval Warfare Systems Command (SPAWAR) offers training and IA TA-approved specifications and standards to address this challenge.

Successfully executing the requirements of the Risk Management Framework will require a workforce of validators who are trained, and qualified to assist the Security Control Assessor in assessing the cybersecurity risk in a complex web of interconnected Navy IT systems and equipment. The validator performs a vital role as an independent third party who assesses and validates that the system has implemented the approved security control baseline. In this role, the validator acts as a trusted agent to the SCA.

To accomplish this, SPAWAR developed a Navy Qualified Validator appointment program. This new program addresses the need for a qualified and proficient cadre of Navy validators by requiring members to possess one of the industry standard cybersecurity certifications, a minimum number of years of cybersecurity experience, and demonstrated proficiency in the RMF. Further, the new program describes the process for achieving and maintaining the appointment. To date, SPAWAR has credentialed 168 NQVs across the Navy. The Navy needs more validators to become credentialed as NQVs to support the complete transition to the RMF by April 2018.

The training and qualification requirements for each NQV level are illustrated in Figure 1 and explained in the following paragraphs.

The qualification requirements and responsibilities of an NQV are outlined in Commander, Space and Naval Warfare Systems Command Memorandum 5000, “Navy Qualified Validator” Ser 5.0/362 of 19 April 2016, and differ among three qualification levels (NQV Level I, II, and III). In addition to a set of instructions for NQV applicants, this memorandum also guides acquisition professionals writing contracts for RMF Assessment and Authorization (A&A) support services as it relates to NQV qualifications.

Each of the three appointment levels has its own distinct requirements and varying degrees of responsibility and autonomy. The Level I NQV provides a pathway to train and develop those who are new to the cybersecurity workforce and validation activities while requiring oversight from an experienced Level III NQV as a quality control measure.

Level I NQVs are responsible for identifying and ensuring the availability of a Level III sponsor. Level II is the optimal level for those who will perform RMF validation activities, but who do not need to sponsor/supervise Level I NQVs. The training requirements for level II are not onerous and each training requirement can be satisfied using online training only. Level III NQVs can independently perform all validator activities and sponsor/supervise Level I NQVs.

Since Level IIIs have the privilege to oversee and train the incoming validator workforce (Level 1s), they have to complete the most rigorous training requirements and must have a higher number of years of experience. Level III NQVs are required to take several classroom courses, including the SPAWAR Validator 201 Course (SPAWAR-ILT-NQV-201) and the Defense Information Systems Agency Enterprise Mission Assurance Support Service (eMASS) and DISA Assured Compliance Assessment Solution (ACAS) classroom training.

A misconception is a Level III qualification is required for all assigned validators. The reality is that NQVs meeting Level II standards can accomplish the full scope of RMF validator tasks without restriction and often at a lower cost than a Level III.

As the workforce transitions from the legacy DIACAP to the new RMF NQV program, there are several important planning factors to consider. First, the validator must act as an independent assessor and cannot perform any other roles on a RMF Security Authorization Package for which he or she is listed as the validator. This is a shift in the way the Navy utilized validators over the past several years, as validators in the RMF are solely responsible for assessing the system that is provided to them, and not developing the package or engineering the system itself. Another consideration is that the validator workforce must first gain Navy RMF experience, before applying for NQV Level II and III.

Validators working under DIACAP can easily begin to transition their role by simply completing the four required IA TA computer-based training courses and gaining the required Navy RMF validator experience by working on a RMF package.

To promote active participation and sharpening of NQV skills, an Annual Maintenance Record must be submitted to the IA TA every year to maintain a NQV appointment. The AMR requires that the Navy Qualified Validator participate in RMF validation activities on at least one RMF package each year, demonstrating active participation.

The Navy Qualified Validator Memorandum and further details about the NQV credentials can be found at the Navy Authorizing Official (NAO) Portal hosted by U.S. Fleet Cyber Command/ U.S. 10th Fleet:

The IA TA computer-based RMF 101 and four NQV courses are available at Navy eLearning:

Paul Hilton works in SPAWAR’s Office of the Navy Security Control Assessor.

Dwight Taylor serves as the Deputy Chief of Naval Operations for Information Warfare Cybersecurity Branch Head (OPNAV N2N6BC4).

Figure 1 illustrates the training and qualification requirements for each NQV level.
Figure 1 illustrates the training and qualification requirements for each NQV level.
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer