Navy reforming its IT security processes to approve new systems in a day

The Navy is jumping on the bandwagon of federal agencies who are reforming their IT security processes to speed new capabilities through the approval process in as little as a day.

That’s a far cry from the 13-18 months it currently takes for software to make its way through the Navy’s implementation of the Risk Management Framework. And the Navy is starting its reform effort with what’s arguably its most challenging IT environment: The networks aboard its ships.

The new process — called Rapid Assess and Incorporate Software Engineering in a Day (RAISED) — is slated for implementation across the fleet later this year. Like the Army and Air Force, the Navy has concluded the best way to speed up the RMF process is to settle on a smaller number of security controls that each new system will have to be examined against.

To do that without compromising security, to be eligible for RAISED, systems will need to have been built in a common development environment and use a shared, trusted IT infrastructure. If that’s the case, they’ll be able to inherit many of the security controls that have already been applied to those environments.

“The chief of naval operations and the Department of the Navy chief information officer are really driving the Navy to leverage the power of networks, cloud computing, machine learning and artificial intelligence,” Capt. Susan BryerJoyner, the cybersecurity branch director in the office of the deputy chief of naval operations for information warfare, said in an interview for Federal News Network’s On DoD. “These are all technologies that, once we figure out how to incorporate them into our daily processes, are going to accelerate our ability to respond quickly to emerging threats. So there’s an urgency from my perspective. We’ve got to be able to authorize the resulting capabilities in a timely manner in order to avoid impeding delivery to the fleet.”

The RAISED concept goes hand-in-hand with an older Navy initiative that also aims to build agile development methodologies into the service’s daily routine and dramatically accellerate the process of delivering new software to ships. But that effort, called Compile to Combat in 24 Hours, can’t work if the security authorization process remains the bottleneck it is today.

The Navy is still building the new workflows that will determine how software will move through the new security framework, and it’s looking for test cases to validate the proces. The first test case will probably take roughtly six months to earn an authorization, because the Navy wants to ensure it’s chosen the right security controls for RAISED.

Read more: On DoD

But soon after, it hopes to speed the process up to about a week, and then a single day. By this fall, the process should be widely-available across the fleet.

“It’s a crawl, walk run scenario,” BryerJoyner said. “If we can get it from 18 months down to six months, that’s a win, but it’s still not fast enough. So we’re going to continue to work to automate the process and and really, that’s where we’re going to see the greatest increase in speed: When we figure out what portions of this authorization process we can automate, so the data automatically feeds from step to step. We know the information we want to move from step one to two to three to four, but we have not yet figured out how we’re going to automate the transition of the data.”

By next year, the Navy wants to extend the concept to its shore-based IT systems, including applications that will be hosted in commercial cloud environments.

But BryerJoyner said officials decided to begin with the afloat networks, since they have the greatest demand for quick-turn IT development.

“It all starts with that vision of Compile to Combat in 24 Hours, being able to give our tactical forces the flexibility and the agility to build the capabilities they need on the fly. Because that’s our warfighting edge,” she said. “We are absolutely pursuing both approaches. But when you listen to the CNO, and you listen to the urgency and the demand for capability at the edge, we’ve got to figure out how to crack that. The shore solutions are easier, but that’s probably not where we need the agility right now.”

Related Stories