RMF and the COVID-19 Pandemic

By Lon J. Berman, CISSSP, RDRP

2020 has been a turbulent year, to say the least. When it comes to operating and maintaining our information systems, a lot of the “usual routine” has been disrupted in the name of health and safety. In spite of all this turmoil, the need to sustain a high security posture is more critical than ever.

What are some of the security-relevant changes we’re seeing?

  • Some of the usual restrictions on handling of unclassified sensitive information are being waived in order to expedite telework. An extreme example of this is DoD’s implementation of an enterprise collaboration suite in a cloud environment that is not normally authorized for sensitive information.
  • Except for “emergency fixes”, some organizations are choosing to postpone maintenance activities that require physical access to equipment.
  • Agencies that typically employ on-site assessments as part of their RMF process are relying on remote assessments.
  • Organizations are implementing expedited processes for extending existing ATOs without the need for the full RMF process.
  • There’s even talk that telework access to classified information may be coming down the pike!

Are these good things? Well, with the exception of the last item (and we’ll let you make up your own mind on that one), the answer is probably Yes… at least in the short run. It seems reasonable to make these short-term accommodations to allow the mission to continue without compromise. However, if any of these things become the “new normal”, then it gets much more complicated.

We can only hope good quality risk assessments were done before these changes occurred. Unfortunately, given the pace at which most of these things were implemented, it is questionable to what extent real risk management is being practiced. Were the threats and vulnerabilities carefully evaluated and appropriate security controls put in place as countermeasures? Are there plans in place, and are they being executed, to continuously monitor the effectiveness of these controls and make appropriate adjustments? We don’t really know.

What we do know with virtual 100% certainty is that the “usual suspects” (aka. the bad guys) are carefully studying all of this, looking for new weaknesses they can exploit to cause disruption of services or even gain unauthorized access to government systems and data. And they can do it all while isolating themselves and practicing social distancing!


Post Categories: Risk Management Framework Tags: