By P. Devon Schall, PhD, CISSP, RDRP
Over the past 12 months, I have attended a handful of DoD cybersecurity conferences with the goal of convincing the DoD community that RMF training is a key solution in combatting the perceived RMF crisis. These conferences include the Air Force Information Technology & Cyberpower Conference (AFITC), the Armed Forces Communications & Electronic Association West conference (AFCEA West) as well as the Armed Forces Communications & Electronic Association conference at Fort Belvoir (AFCEA Belvoir). A few common themes are surfacing at these shows which include the idea that RMF is failing and that RMF needs to be completed faster. The goal of this article will be to discuss some of these common themes. I recognize the RMF Improvement Suggestions listed below are very controversial, so I will attempt to provide objective observations for each suggestion based on my personal experiences.
RMF Improvement Suggestions:
- If we can make RMF like TurboTax, it will be easier and faster! So east in fact, we won’t even need RMF training.
I know some of you will be upset to hear this, but RMF requires critical thinking and manual risk evaluations. As one of my RMF mentors always told me, “tools are not the answer”. Although I love the idea of creating a software tool that presents RMF like Turbo Tax, I feel like the money DoD would spend on paying contractors to create this kind of RMF software tool is unnecessary. Although RMF is a complicated process, it is manageable if proper training is delivered. The biggest issue we are seeing regarding the RMF crisis is a lack of funding. It is my observation, that the funding that would be put towards an RMF software tool would be better spent in paying RMF practitioners and increasing the cybersecurity workforce for DoD.
- Automating RMF will make the whole process faster, easier, and more effective!
Initially, I thought RMF automation was a great idea until I had a conversation with our lead RMF engineer about it. After relating RMF automation to STIG automation, BAI’s engineer indicated that too often, automating components of RMF can end up breaking systems where they no longer function, and we don’t know what steps to roll them back to a functional state. RMF was created to be a risk management process that requires organic thinking and risk-based decisions vs. one-click solutions.
- If we can create a minimized streamlined set of controls to grant folks ATO’s with conditions, we can clear up the congestion in the RMF pipeline and get things moving.
I worry concepts like RMF Sprint and RMF Bridge Program are just “kicking the can down the road” regarding RMF compliance and creating misconceptions about the rigor required to successfully work through the entire RMF process and gain an ATO. Recently, in BAI’s RMF classes, we have had students tell us that they are getting ATO’s with conditions by only working a small amount of controls, and the RMF process as prescribed by NIST isn’t reflecting what is happening in the field. Although, the RMF process may be abridged for some, this is not necessarily a good thing. Skipping steps and rushing through RMF isn’t helping with the cybersecurity posture of our systems, and it is not in line with the spirit of RMF. I understand RMF is robust and challenging, but it should never be treated as a check-the-box process to be rushed through with the sole goal of meeting requirements. At the end of the day, lazy or improperly completed RMF packages threaten national security.