By Philip D. Schal, Ph.D., CISSP, RDRP
What is Project Sentinel?
The United States Army recently announced that it is launching a new initiative called Project Sentinel. Project Sentinel is described as an adaption of the traditional RMF process with goals of streamlining RMF into a threat informed risk decision process. Due to criticisms of RMF as a check-the-box compliance process that is laborious and lacking agility, the Army feels a threat-informed risk management decision process would be effective.
Project Sentinel will utilize authoritative threat sources such as Critical Security Controls for the Effective Cyber Defense published by the Center of Internet Security (formerly SANs top 20) to establish a threat hierarchy containing the most common attacks and controls relating to them. Additionally, the project will review Army Cyber Command (ARCYBER) threat trends from the Intelligence Community and its partners. By focusing on these high priority threats, it will be possible to tailor the RMF control set to save time in navigating all the RMF controls vs. controls related to high priority threats. Additionally, the Army will create a risk threshold which will prioritize controls changing based on continuously monitored emerging threats.
Initial steps of Project Sentinel will be to review threat sources and map threats to RMF controls in Phase 1, and then after pilots in the next few months, the level of assurance in relation to control identification will be assessed. After the entire process is reviewed, a phase 1 capability statement will be available in the April-May 2020 timeframe.
You may recall an article I published in October 2018 titled “RMF 30-Day Sprint”. For those of you not religiously tracking BAI’s RMF article publication cycle, I’d be happy to elaborate. During the summer of 2018, I attended the Air Force Information Technology & Cyberpower Conference (AFITC). During this conference, I caught wind of an Air Force initiative (a version now exists for Navy as well) called The RMF 30-Day Sprint. Goals of the sprint were quicker ATO’s and maximized RMF efficiency.
Since the article’s publication, the Air Force has moved away from the RMF 30-Day Sprint. These example elaborate that abridged controls sets with goals of maximizing RMF efficiency are not new to the services.
Overall, I recognize that RMF is often viewed as a burdensome overly robust process that does not have the agility required to keep up with the evolving threat landscape, but due to the holistic nature of RMF, I am not entirely convinced taking a subsection of RMF controls is the solution to these pain points. Although some RMF controls are more aligned with the evolving threat landscape than others, all RMF controls attached to a system are important due to their interconnectedness. Taking RMF’s holistic nature into consideration, I worry that Project Sentinel will place focus on a specific section of controls and neglect others.
I applaud the Army for taking the perceived RMF crisis seriously and looking for solutions to increase efficiency, but if Project Sentinel moves forward, it must be stressed that the controls at the bottom of the “risk threshold” are given appropriate attention and not just pushed to the side in efforts to implement high priority controls and achieve quick conditional ATO’s. After all, if higher priority controls become the primary focus of RMF the lack of attention to other controls perceived as lower priority will create new risk conditions. Additionally, a focus on continuous monitoring and DoD publishing clear continuous monitoring guidance would potentially strengthen DoD’s risk posture more than an abridged RMF control set project, but that is a topic for another article. I truly hope Project Sentinel is success in strengthening Army cyber defenses and reducing risk and it helps mitigate the perceived “RMF crisis”.