Army streamlines RMF… or weakens it?

By Lon J. Berman, CISSP, RDRP

Anyone who has endured the “adventure” of going through the full RMF life cycle can attest to the daunting amount of work and attention to detail required to be successful. Some even question whether or not all this effort is really making our IT systems more secure. It is therefore natural for departments and agencies to pursue some sort of “streamlining” of the process. The Army’s answer lies in something they are calling Project Sentinel (or sometimes “RMF 2.0”).

Project Sentinel aims to streamline the RMF process by identifying a subset of the baseline controls that are deemed “critical” and focusing on those rather than on compliance with the full set. Their choice of critical controls is intended to be “threat-focused” and “dynamic”, meaning that it can evolve over time in response to the changing threat landscape.

The Army’s Network Enterprise Technology Command (NETCOM) is managing the Sentinel program, and they are using the eMASS tool to implement it. Sentinel is set up as a Common Control Provider (CCP), from which systems can receive security control inheritance. System owners place a request for inheritance from Sentinel, just as they would for a hosting data center or
cloud service provider. NETCOM then reviews the requesting system’s eMASS record to ensure the hardware/software inventory is complete and all applicable Security Technical Implementation Guides (STIGs) have been identified. They will then approve the inheritance request and the system owner will see literally hundreds of inheritable controls available to them.

The only caveat is that system owners are advised not to accept inheritance for any controls that are directly mapped to STIG items. All other inherited Sentinel controls will show up as Not Applicable (NA) in the receiving system’s eMASS record, which of course means they are not required to implement the control nor are they required to provide supporting documentation. Along with each such NA control comes a “justification” provided by NETCOM that states the control is subject to review and the inheritance may be withdrawn in response to a
changing threat environment. Should that occur, the receiving system would immediately become responsible for implementing and documenting the control.

The net effect of receiving inheritance from Sentinel is that the receiving system will be responsible for implementing and documenting a considerably smaller number of controls. The independent assessment teams (required for all Army RMF efforts) will therefore have a smaller number of controls and documentation artifacts to review. It can be said that Sentinel inheritance deemphasizes management and operational controls in favor of technical controls, thus making STIG compliance the focus of RMF.

Critics see all of this as a weakening of RMF by the Army, and, more broadly, a weakening of the “Holistic Security” philosophy that has traditionally been the centerpiece of enterprise security management frameworks across government and industry. They fear this over-emphasis on technical compliance will result in system owners becoming less vigilant about things like policies, operational procedures (such as Incident Response and Disaster Recovery plans) and even training. Failures in these areas can have consequences that are just as devastating as those that come from technical vulnerabilities. Recent highly-publicized security incidents such as ransomware attacks can best be prevented or managed through operational controls (e.g., end user training, incident response planning) rather than technical system configuration. Some dyed-in-the-wool cynics even go so far as to suggest that the whole threat-focused “thing” is just a smokescreen and the reality is that Army has caved to the “this is too hard” whiners.

The bigger “RMF 2.0” picture in Army also includes plans to enhance continuous monitoring (of technical controls) and to move towards a “continuous authorization” model (vice periodic reauthorizations). Again, opinions vary on whether these are good things or just more cutting of corners.

Will Sentinel and “RMF 2.0” make Army systems more secure … or less secure? Will similar programs take hold in other DoD components? Time will tell. Stay tuned!


Post Categories: Federal GovernmentRisk Management Framework Tags: