The Defense Department is transitioning to a new approach to authorize its IT systems. The Risk Management Framework (RMF) will replace the DoD Information Assurance Certification and Accreditation Process (DIACAP).
This new approach should let owners, operators and defenders of IT systems better understand and manage the risks posed by threats and vulnerabilities to DoD networks and data.
While managing risk is more difficult than checklist compliance with cybersecurity regulations, officials said it produces better results.
RMF is years in the making
The move from DIACAP to RMF is not new — it began about four years ago with DoD Instruction 8510.01, issued in March 2014, said Ed Brindley, DoD’s acting deputy chief information officer for cybersecurity.
“It offered an opportunity to get federal civilian agencies, DoD, and the intelligence community all using the same process,” he said.
Because DoD requires an authority to operate (ATO) as each IT system comes online, and mandates a reauthorization every three years, the use of the RMF has been phased in. Ron Ross, Joint Task Force Transformation Initiative project leader for the National Institute of Standards and Technology (NIST), has worked closely with the DoD CIO office on the transition.
“Now that three years is gone, the deadline is here,” he said. “I have a high degree of confidence that they are ready [for the deadline].”
Prioritizing risk in IT systems
Risk management recognizes that risk in complex IT systems cannot be completely eliminated, and that the owners and defenders of systems must decide what risks to remove, what is impractical to remove and what must be managed. To do this, system owners must understand, assess and prioritize their risks.
The RMF is a unified framework for assessing organizational risk posed by IT systems and managing that risk by selecting the appropriate security controls. The framework supports continuous assessment as the security status changes throughout the system lifecycle.
It includes six steps:
Categorize the system and the information using impact analysis.
Select an appropriate set of baseline security controls based on the potential impact.
Implement the controls and document their deployment.
Assess whether security controls are implemented correctly, operating as intended and producing the desired outcome.
Authorize the system’s operation.
Monitor security controls on an ongoing basis.
The current framework is the result of an effort that began in 2009 to harmonize cybersecurity requirements for the civilian, defense and intelligence communities. Although there are differences in each community’s needs, Ross said there is a 95 percent overlap.
By harmonizing requirements, he said, “we can spend our time doing good standards, and the warfighters can spend their time doing what they do best.”
Risk management requires a cultural shift away from compliance to risk-focused decision making.
“The purpose of RMF was to shift our cybersecurity activities from focusing on checklists to a discussion about risks,” Brindley said. “It moved the conversation to addressing the threats and vulnerabilities and how they impacted our systems, businesses and processes.”
This should provide more effective cybersecurity by allowing continuing, prioritized response to threats. Ross said that cybersecurity is difficult and defenders implementing risk management must choose from among hundreds of possible cybersecurity controls and other responses to risks.
“Having choices is always more difficult than giving people a checklist. But the idea of one list that will fit everybody is a fantasy,” he said.
Brindley added that the RMF process has its limits.
“What we get from RMF is how we leverage information to better inform processes,” he said.
We need to do a better job of using this information to inform mission risk, acquisition decisions and system engineering efforts. This integration across organizations is difficult, but this is where the true value of RMF lies.”