It’s been five years since the Defense Department adopted the Risk Management Framework as its new method for accrediting the cybersecurity of IT and weapons systems. And to put it gently, things got off to a bit of a rocky start. In the Army’s case, because of the way the service first implemented RMF, it resulted in a 800% increase in workload.
But officials said they’ve already made dramatic improvements in the process even as they’re now setting out on a multi-year, three-phase RMF reform effort called Project Sentinel. The Army said it has shaved hundreds of hours off the authorization and accreditation process and eliminated its backlog of systems awaiting cyber approval.
“I think we’re at the point now where we’ve learned enough, and you see this in the other services as well: the Air Force did their Rapid ATO process, and we did a similar process for our tactical systems,” Nancy Kreidler, the director of cybersecurity and information assurance in the Army CIO’s office said in an interview for Federal News Network’s On DoD. “There was a really steep learning curve and it did take a while to get a handle on the process before we started tailoring.”
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
By “tailoring,” Kreidler means taking the full body of security controls in RMF — there are some 1,900 in all — and prioritizing the ones that are most critical to the Army or to the security of a particular system, considering the environment that system will operate in.
That is a marked departure from how the service first adopted the framework, which was developed by the National Institute of Standards and Technology.
In 2015, when the Army first switched to RMF, it began using its own workforce to conduct security assessments, rather than the third-party assessors who were hired to do the job under the former DoD process, known as DIACAP.
“What happened was there were so many controls and they were not prioritized,” Kreidler said. “Every control becomes equal to the control before and the control after it. And because of that, you really aren’t prioritizing your risk or what you should focus on. And when you go from maybe a 200- assessment procedure to 1900 assessments, you just try to get through the process.”
The NIST process explicitly calls on organizations that use RMF to start by selecting the controls that are relevant, and that’s what the Army is largely doing in the first two phases of Project Sentinel.
In the first phase, underway now, the Army is looking at ways to let individual systems “inherit” security controls from the infrastructure they operate on, or from policies that are already enforced across the entire organization.
By April, a working group of RMF experts from across the Army hopes to agree on a smaller, consolidated set of security controls that most systems will be assessed against. Kreidler said it’s impossible to know exactly how many there will be, but she hopes to reduce it from 1900 to between 200 and 300.
“It’s not about just reducing the controls that we’re really looking at, it’s identifying the right controls based on what we need. One of the things that I want to ensure is that when we reduce this control set, it is the right controls and we can hold people accountable,” Kreidler said.
Beyond consolidation, the Army will focus on prioritizing the controls its assessors look at in phase two of Project Sentinel.
To make decisions about which of the controls are most vital and where it is and isn’t willing to take risks, it will use threat data from Army Intelligence, the Center for Internet Security and other sources.
“We will continue to identify these threat sources as time goes on, and we’re going to map the current threat to the controls and prioritize the controls,” Kreidler said. “Once we do that, we’re going to identify a threshold depending on what’s going on in the state of cybersecurity. And there will be instances where there are vulnerabilities that are found that cannot be mitigated without a higher level review. An example of this would be personally identifiable information that is not encrypted. Are we going to allow that on the network or not?”
In the project’s third phase, the Army plans to conduct a significant rewrite of the NIST security controls so that they’re more understandable to its own assessors and other stakeholders.
“This is important because you can have five people in a room looking at a NIST control and you will have five different interpretations of what it’s asking for,” she said. “Sometimes it’s just putting it in plain language. But there’s other specific instances in the Army, for example, on tactical systems, where a NIST control may ask something that doesn’t really fit into that architecture that you’re looking at. An example might be it’s asking for something about the physical environment, but the system is a [portable] radio. Well, you can’t really answer that question. So is there a way we can write that in a way that we either understand what the control is really asking for, or write it in a way where the person can address it?”
For example, by letting systems take credit for policy-based controls, it’s cut 167 separate procedures from the list of items its assessors must tackle. The service estimates that’s saved about 40 hours of work for each system — and the Army has about 1,000 systems that are subject to RMF. And it’s managed more reductions among the tactical systems the Army’s cross-functional teams are working on, cutting an average of 230 hours of work per system from those projects.
For vendors, the changes are likely to mean that systems that are built with RMF in mind are the ones that are most likely to gain security approval more swiftly.
“This is going to really look at systems and applications and networks where security is built in, because if it’s not built in, it’s going to show in this process,” Kreidler said. “In the past, things were able to be documented in a plan of actions and milestones. If you come with a system or a product that is above our risk threshold, we’re going to have a little bit more difficulty getting it on the network.”