By Lon J. Berman, CISSP, RDRP
Sometimes I wish I had a crystal ball I could peer into to see what is in store for the future. And nowhere do I wish for this more fervently than in the area of cybersecurity and RMF. It would be lovely to know what is lurking around the next corner, so to speak. Alas, the best we can manage is some intelligent guesswork about what lies ahead. I don’t claim to be the most intelligent person around, but I have worked in this field for decades, and, hopefully, I’ve gained a little bit of insight.
Here, then, are some of my views into the future of RMF:
Likely, and just around the next corner:
It is highly likely we will be seeing an increased emphasis on Continuous Monitoring, which is Step 6 of RMF. One of the long-standing “missing pieces” in the suite of DoD RMF documentation has been a set of policies and procedures for Continuous Monitoring. DoD has recently released a policy for Ongoing Authorization (aka Continuous ATO). Ongoing Authorization enables the Authorizing Official (AO) to grant ATO “extensions” on a regular basis, as opposed to going through the full “re-authorization” process. Ongoing Authorization requires the system owner to present evidence of a robust Continuous Monitoring program in order to give the AO assurance that the security posture of the system is being maintained at a high level. My speculation is that DoD will finally respond with some meaningful “how to” guidance.
Somewhat less likely, but still possible:
Significant changes to eMASS might conceivably be in the cards. It is no secret that there is widespread “discontent” with eMASS, both from the user level (complexity) and at the DoD level (cost). It is possible DoD may be looking at wholesale replacement of eMASS with some other tool. Needless to say, that would entail a considerable expenditure and a complex “migration” process. The migration process alone is likely to be daunting to many system owners. I can only hope that DoD really, really thinks this one through before committing to some other tool. The last thing they would want to do is to end up “trading a headache for an upset stomach”.
Extremely unlikely:
There always seems to be a little bit of “background chatter” in the cyber-security community to the effect that DoD is looking to replace RMF with “the next big thing”. My opinion is that just “ain’t gonna happen”. The reason is pretty simple – DoD is unable to act unilaterally. As a member of the Joint Task Force Transformation Initiative, DoD is obligated to work in concert with the federal civil agencies and the intelligence community. As difficult as it was to get consensus on RMF, there is virtually no chance that kind of consensus will happen again. Having said that, I feel compelled to add the disclaimer that “nothing is impossible”, however I believe it’s a fairly safe bet that there will be no wholesale replacement of RMF anytime soon.
I’m pretty confident in these “predictions”, but only time will tell if my crystal ball was accurate or not!