The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the Department of Defense’s Risk Assessment Methodology (RAM) both provide mechanisms to assess overall risk in government agencies and military services.
RMF is well grounded in established procedure, classifying and categorizing information systems throughout organizations and assigning appropriate security controls to understand and manage risk in an ongoing manner.
RAM addresses risk, but focuses on a targeted threat or vulnerability in relation to affected systems. RAM is more emergent while RMF is more continuous and high-level. In today’s military cyber environments, where ongoing security maintenance is often surpassed by current operations — separating executives from the “Cyber Commander” — these two tool sets are often used within their respective silos. Authorization teams follow RMF, applying up-front rigor to categorize, document and monitor IT risk.
Meanwhile, operational analysts apply RAM in response to emerging threats. This difference in approach creates gaps in how we protect our networks and prioritize defenses that cyber attackers could exploit.
Current trends in military cyberspace operations point to a growing schism between legacy IT provisioning and governance components and the day-to-day “cybersecurity operations.” This gap results in reactionary activity — diverting resources to address a threat without fully understanding its potential impact. By using both tools in an integrated manner (i.e., interlocking cyber fire), cyber operators can normalize emergent cyber threats against ongoing cyber operations to weigh risk and apply appropriate resources, funding and prioritization based on mission need.
RMF is leveraged by an authorizing official (AO) to assess and manage IT risk for a security program, system, or application to support its authorized use within an organization. The AO will accept or deny risk based on the risk tolerance and the appetite of the organization and an assessment of the technology and security configurations used. Assessors apply the framework to verify security controls and monitor risk based on the system categorization; for example, a mission-essential system will have more stringent security requirements than a low priority system. RMF allows organizations to definitively catalog all components of a new system, such as asset and configuration management.
The value of RAM
On the other end of the spectrum is DoD’s RAM, developed for operational risk decisions based on vulnerabilities and known data points of the organization and its defense posture. Taking a matrixed approach, RAM examines TVI — Threat, Vulnerability and Impact — to perform an overall risk recommendation. Here, threat is most commonly the deciding factor that will either lower or amplify the final recommendation and is where a strong and capable intelligence department can truly shine. For example, while an organization may overreact to a new zero-day exploit, intelligence can be the component to determine that imminent likelihood of exploitation is quite low due to observed activity versus the organization’s attack surface.
That leaves impact as the wildcard in RAM. The problem with impact is its nebulous, ill-defined terms: mission-critical, mission-essential, mission support, warfighting functions, and business functions. The lack of clear definition makes impact a best guess scenario. As the word implies, “what is the damage to the organization that we will sustain if we are hit?”
Synthesizing RMF and RAM
Both frameworks rely on a clear understanding and definition of cyber terrain — network and critical asset identification, network connections and interactions, system and network prioritization, and dependencies. Cyber operations must understand business (mission) needs.
Herein lies the opportunity to connect RMF and RAM. RAM requires cyber commanders and duty officers to have immediate and thorough understanding of their information systems, the data stored within each, and how it all relates to (forward) operational commanders and their missions.
Therefore, this poor grasp of an organization’s cyber terrain limits RAM as a methodology. Operational cyber personnel just don’t have the in-depth knowledge of the cyber terrain they’re charged with protecting to make a qualified determination to the organization as a whole for impact. However, what commanders forget is that RMF should have already done this work for them. The key here is to use the first step of RMF: system categorization.
Since RMF tasks have already categorized critical systems, the question becomes: How do we ingest system categorization into RAM to make better decisions faster?
Here we can ask a clarifying question:If you lose all your (cyber) capabilities and you can partially restore — what do you restore and in what order?
If you don’t know the answer to that question neither methodology is helping you support, defend and execute your mission.
Greater emphasis should be placed on appropriate system categorization (cyber terrain). Resources across IT and cyber are limited so organizations must apply protections and defenses commensurate to the value of the data as defined and approved.
Cyber commanders should take the following steps to integrate operations and governance teams:
Develop clear guidance on how the accreditation and authorization (A&A) teams provide data to the operational cybersecurity authority on network topologies, system and network configurations, interconnections and defensive measures.
Promulgate direction to mandate that operations feed the A&A team with findings from audits and incident response activities. A&A personnel can review to determine if the system or network is operating within its authorized and approved configuration.
Establish a working group to share information between operations and A&A.
RMF and RAM are not perfect risk decision models. However, by cross training executive and operational leadership to understand both and utilize one methodology to feed the other, organizations can begin to truly normalize all cyberspace operations and pinpoint where to allocate resources.
Marvin Marin is a Chief Cyber Officer with ELM Cyber, LLC, Colby Proffitt is a senior business analyst for NetCentrics and Lt. Devin Strzok is with the U.S. Coast Guard.