The Department of Defense is transitioning from the legacy Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF). For the Navy, this transition is much more than a process change. The RMF will bring three significant improvements to how the Navy manages cybersecurity risk.
First, it forces incorporation of cybersecurity capabilities early in the design of a system’s capability. Second, it increases the emphasis on continuous monitoring of security controls during a system’s life cycle. Third, it brings the Navy’s platform IT, combat systems and industrial control systems under the same procedures (i.e., RMF). However, the implementation and execution of the RMF is more complicated than DIACAP.
Implementing RMF is a six-step process. Experience from a pilot with early adopter systems from three of the Navy’s Systems Commands, as well as current RMF submissions across the Navy, has demonstrated that completing the requirements for RMF Steps 1 and 2 are particularly challenging. In response to this challenging transition, the U.S. Fleet Cyber Command Navy Authorizing Official (NAO) teamed with Space and Naval Warfare Systems Command (SPAWAR) to develop an RMF Fleet Integration Team (FIT) project. During RMF FIT events, teams deployed to local locations to provide on-site, hands-on, and focused transition support for information systems (IS) that are under the aegis of the NAO. Special emphasis was placed on bringing a system through RMF Steps 1 and 2.
The FY17 FITs have proved to be extremely successful. The team completed 13 FIT events with Navy Echelon II commands during FY17. Under the normal RMF process, the average time to complete RMF Steps 1 and 2 is 88.5 days. However, for systems that were part of an RMF FIT event, the average completion time for RMF Steps 1 and 2 was reduced to 8.5 days — a 941.18 percent decrease.
The objective of RMF FITs is to promote standardization and assist Assessment and Authorization (A&A) staffs at Navy Echelon II Package Submitting Offices (PSO) to execute necessary tasks for Navy RMF Steps 1 and 2. The outcome for each RMF FIT event is to complete all necessary tasks in preparation for submitting an authorization package to the RMF Step 2 checkpoint.
Each RMF FIT was scoped to provide facilitated, hands-on support to the PSO and Program Manager/Information System Owner (PM/ISO) to refine their knowledge of RMF concepts and tasks in order to submit accurate and mature RMF packages. The direct interactions with the PSO, PM/ISO, Security Control Assessor Liaison (SCAL) and AO Cybersecurity Analyst (AO CSA) were designed as a way to lead change and establish and reinforce RMF standard business rules for package development and submission. An effective RMF FIT event with primary stakeholders will aid in improving efficiency and reducing rework from end-to-end.
Key concepts of an RMF FIT event are:
- In advance of the event and in coordination with the NAO & Security Control Assessor (SCA), the PSO will select a low complexity, currently accredited IS as the target for the RMF FIT event. To achieve maximum benefit from the event, it is recommended the PSO consider selection of an IS that has already initiated RMF activities.
- The NAO and Navy SCA will provide representatives to facilitate approval of the components required for RMF Step 2 concurrence.
- The RMF FIT team provides three days of onsite hands-on facilitation for all tasks associated with preparing a package for an RMF Step 2 checkpoint.
If all RMF Steps 1 and 2 deliverables are completed and concurred on by the appropriate RMF stakeholders and there are no outstanding requirements (e.g., pending waiver or agreements), the IS will have the green light to submit for RMF Step 2 checkpoint and concurrence. This is the expected outcome of RMF FIT events, and 92 percent of FITs executed in FY17 have been submitted for Step 2 checkpoint.
The RMF FIT has been extended through FY18 as part of the Navy’s RMF surge activities. Navy commands are encouraged to leverage this valuable resource to accelerate transition of their systems to RMF. Further details about the RMF FIT can be found at the NAO portal hosted by U.S. Fleet Cyber Command/U.S. 10th Fleet: https://usff.navy.deps.mil/sites/fcc-c10f/odaa/Pages/RMF.aspx.
Charles Hester and Carl Rice both work in the U.S. Fleet Cyber Command Office of the Navy Authorizing Official.