By P. Devon Schall, M.S., MA.Ed. CISSP, RDRP
Over the past few months, I have heard rumblings of something called “RMF 30- Day Sprint”. It came up initially during an RMF for DoD IT training I taught in Virginia Beach, and it was pitched as a new program to grant conditional one year ATO’s with the only requirement being to be compliant with 36 controls. I quickly socialized “RMF 30-Day Sprint” with my team, and they countered with the question of who would choose the 36 controls and why they would be chosen. This was a valid point that I had no answer to. I brushed “RMF 30-Day Sprint” off as an idea that was discussed over a water cooler and not a reality. Well, it appears that I was wrong. After recently attending the Air Force Information Technology & Cyberpower Conference (AFITC) in Montgomery, RMF 30-Day Sprint was confirmed during an informational session I attended. This short article will provide a discussion of the driving forces of “RMF 30-Day Sprint”.
“RMF 30-Day Sprint” is currently an Air Force initiative. At this point, I have not figured out what committee chose the 36 controls being addressed in the program.
“RMF 30-Day Sprint” hasn’t formally gained approval, but it was presented to me like it was already being implemented. A senior ranking Air Force official said, “RMF 30-Day Sprint has not been formally approved, but we are all preparing for it to be signed”. This same person indicated that “RMF 30-Day Sprint” would span across all of DoD. I doubt this, but I also doubted this whole program, so who knows!
Authorizing Officials (AO’s) and assessment teams are buried in backlogged RMF packages. “RMF 30-Day Sprint” is an attempt for teams to get caught up and work through system review in an efficient capacity. It has been expressed to me that many systems are “running in the red” and operating without an ATO.
At this point, it is hard to tell if “RMF 30-Day Sprint” will catch on or if this is a one-off Air Force initiative. Although I cannot predict the success of this initiative, I can confirm that RMF practitioners are incredibly frustrated and the RMF pipeline is clogged with the process currently working very inefficiently. Early data from my RMF research is showing RMF practitioners are committed to RMF as a long-term sustainable cybersecurity framework for the US Government. I imagine the solution is going to come down to RMF practitioners figuring out a way to make RMF operate efficiently and not be a cumbersome, check the box, compliance process that is plagued with weak financial and administrative support.
RMF 30-Day Sprint Controls:
SA-4, SA-4(1 ), SA-4(6), SA-4(7), CM-2, CM-8, CP-9, CP-9(3), CA-3, AC- 17, AC-17 (2), AC-17(3), IA-2, IA-2(2), AC-5, AC-6, AC-6(2), AC-2, AC-2(7), CM-6, IA-4, IA-4 (2), IA-5, IA-5(1 ), IA-5(3), IA-5(5), IA-5(6), IA-5(7), IA-5(2), SC-12, CM-7, CM-7(3), CM-1, CM-3, CM-9, CM-10(1)