By Amanda Lowell, Security+ CE, RDRP
My friends and I joke that being in the field of cybersecurity is equivalent to searching for unicorns–achieving cybersecurity is a myth…
Let me explain.
The “cybersecurity” buzzword, as it is thrown around by executives today, is a myth. The concept of security itself means protection from risk. Complete cybersecurity (aka zero residual risk) in any organization is impossible. This is why I am so passionate about unveiling security theater; to me, the ultimate form of corporate deception is lip service about security to customers that do not have the ability or access to verify those claims. What organizations should strive for (and communicate to their stakeholders!!!) is resilience against threats and effective management of risk.
Lucky me! I recently had the privilege of attending BAI’s Risk Management Framework (RMF) for DoD IT Full Program + eMASS eSSENTIALS training in Pensacola, FL. Our training was developed to assist DoD personnel and contractors in establishing and maintaining a cybersecurity program in accordance with the National Institute of Standards and Technology (NIST) Risk Management Framework.
Establishing an RMF package within government information systems and achieving an authorization to operate is required to comply with the Federal Information Security Modernization Act of 2014 (FISMA). But, as with many federally required activities (I’m looking at you, taxes), navigating the “how” is more confusing than trying to understand differential calculus when you haven’t yet learned to multiply.
So, I wrote this article to help ISSMs, system owners, system admins, and other folks involved in RMF using the concepts taught in our flagship training. I learned all of this from our illustrious lead RMF instructor, Linda Gross (CISM, RDRP), who boasts 40 years serving the Army in cybersecurity from the DITSCAP years, through DIACAP, and into RMF. Some of you may be facing more time/resource/personnel challenges than others, but these key takeaways will help you transition from barely surviving to thriving.
10 Concepts for a Thriving RMF Program:
1. Step 0: Performed throughout all steps!
RMF 2.0 introduced a new step in the 6-step lifecycle: Prepare! Entitled Step 0, the Prepare step is intended to be performed before each of the steps, not just at the beginning of the RMF Lifecycle. Each step will have a set of deliverables and individuals responsible for the activities, so make sure you have scoped and delegated the work as best as you can for each step before you try to execute.
2. Document, document, document
This may seem self-explanatory, but when folks are under-resourced, documentation is the first to go. However, you are going to need lots of evidence for your RMF package. The evidence needed can go from memorandums of understanding that offload responsibility to your service provider, to aggregations of logs with signatures proving that regular auditing is occurring. Linda put it this way: “Get credit for what you are already doing.” If you have already implemented security controls in some measure (99% of you have implemented at least ONE security control), create space for the team to document the entire process, as the artifacts you create may be applicable to multiple controls.
3. Take care of the “little things”
Going off the previous point, Linda means “little things” to be small areas of non-compliance within your existing workflow that can be easily remediated. For example, if you have implemented role-based access control (RBAC) as a part of control AC-2, and you identify that one employee has not been assigned the appropriate role for his responsibilities, do not wait for the assessor or AO to come and tell you that you are non-compliant. A quick call to the domain administrator can assign the individual the least-privileged roles required to do his/her job, and the issue will be resolved before the problem trickles into later steps. “Little things” add up, and can mean the difference between an ATO, conditional ATO, and a denial of authorization to operate (DATO).
4. Know who’s responsible for what–and have it on record
Your information system likely communicates with several other systems, applications, and services. Once you have decided on your system boundary (what systems are covered in your authorization process), you will be relying on the owners of other integrated IT systems and components to provide common controls and collaborate with you on hybrid controls. Make sure all inherited or hybrid controls are specifically outlined in your SLAs, MOUs, and other agreements with third parties, so you have non-repudiable evidence if those systems are found non-compliant.
5. All risks lead back to the ISSM
The Authorizing Official is the individual who accepts the risk for the organization, but ultimately, all risks lead to the ISSM. If you are the ISSM, responsibility for due diligence and mitigation of risk is traced back to you. Don’t fall into the trap of thinking, “I assigned that responsibility to the system administrator,” or “Our platform service provider handles those controls!” It is your job to ensure activities are being performed and to report to upper management when they are not. CYA!
6. Get to know key individuals
RMF is both a complex and subjective process. Every AO will have different risk tolerance levels, and different biases and preferences when it comes to your RMF package. So, Linda says to make sure you get to know your security controls assessor, system owner, authorizing official (and AODRs), third party POCs, and anyone else is involved in the process. You may not need to host their baby showers or have weekly brunch, but a basic introduction and having their contact information on hand will go a long way.
7. Use your resources: RMF Knowledge Service
We plug this all the time, but did you know there is a repository of resources for your RMF package provided by the Office of the Secretary of Defense (OSD)? The RMF Knowledge Service (RMFKS) is packed with templates in component workspaces and supplemental documents that will help you navigate each step of the RMF Lifecycle. The website has been down for a few weeks as of writing, but the RMF Knowledge Service can be found at https://rmfks.osd.mil/ and is accessible to anyone with a Common Access Card (CAC) or External Certification Authorities (ECA) certificate (with sponsor).
8. Keep your eye on the why: Justification
A lot of folks get wrapped up in the nitty gritty of security controls, but what upper management and your AO are looking for is proper justification of your decisions within the RMF package. This is the reason that implementation statements are critical for your security controls, so use the 5 W’s method to summarize:
- Who is implementing the control,
- What actions/automation are being performed,
- When/at what intervals,
- Where (on which systems/environments)
- How are the controls implemented and the results verified?
Justification is even more important when you are trying to get more resources. Keep a record of conversations with SMEs, management, and admins on what resources are needed and how the resource would enable them to better meet requirements.
9. You can’t eliminate every risk
As I mentioned in the intro to this article, it is impossible to eliminate every risk. Don’t sweat the controls that are not applicable to your system. More importantly, if you request resources to implement an important control, and you can’t get the funding approved, keep a record of those communications and the justification from higher-ups. Following your Risk Assessment Report (RAR), do your best to get rid of the critical risks through implementing industry-standard best practices, and account for all the “low-hanging fruit” in your Security Plan, or risks that are high impact and low in resource cost to mitigate.
10. It’s dangerous to go alone!
If I’ve made anything clear, it’s that you cannot manage the entire authorization package alone. Anyone in charge of RMF at their organization needs a team of folks trained in RMF, information security best practices, and technical aspects of security controls in order to be successful. Ultimately, it’s up to you to advocate for yourself and your team to get the help you need. Don’t try to do it alone–I’m rooting for you!
BAI offers training in RMF for DoD IT, eMASS, Security Controls Implementation and Assessment, STIGs, Continuous Monitoring, and more! We also offer consulting to assist you in your specific challenges. If you are thinking, “I am really out of my depth with RMF…” please don’t hesitate to reach out to us and get the help you need!