Source: United States Navy
RMF uses a risk-based cybersecurity approach for enterprise-level authorization of IT systems and services. It incorporates cybersecurity early on in system development and promotes continuous monitoring of security controls throughout the system lifecycle. As a rigorous six-step process, its end goal is to receive authorization to operate (ATO) on the Navy’s network.
The steps include categorizing systems, selecting, implementing and assessing security controls, authorizing systems and monitoring security controls. The sixth step, monitoring security controls, is significant, as it is moving towards a continuous monitoring process throughout the system lifecycle. The goal is to have a system that can then maintain its ATO, rather than having to repeat the entire process every one to three years, saving both time and money.
RMF packages include several plans that formally document the scrutiny given to a system before it can receive an ATO. Currently, the Navy’s RMF process takes roughly 6-18 months to achieve authorization. With over 2,000 Navy systems, this represents significant manpower, time and costs with hundreds of labor-intensive, manual transactional processes without optimized process flows.
“The RMF Factory will stabilize and automate RMF package development and processing that enable operationally relevant, risk informed authorization decisions,” said Rob Wolborsky, NAVWAR deputy chief engineer. “This will significantly reduce cost and processing time while increasing cybersecurity in the fleet.”
With the goal of a quicker, automated and more accurate RMF process, NAVWAR is beginning to use RMF Automation and Process Streamlining (RAPS), which delivers a graphical user interface (GUI) enabling non-cybersecurity experts to perform administrative RMF processes. It also lets programs adjust staffing to decrease cyber costs and processing time to authorize information systems, automates manual tasks and alleviates rework. This digital process provides a foundation to support development of automated cyber ready assessments and create cyber risk link to naval missions.
Additionally, RAPS integrates with Enterprise Mission Assurance Support Service (eMASS), a government owned web-based application with a broad range of services for comprehensive, fully integrated cybersecurity management.
“We want the RMF Factory to become all naval program’s ‘easy button’ for RMF package development and management,” said Andrew Mansfield, NAVWAR assistant chief engineer for mission capability and technical director of Naval Information Warfare Center Atlantic. “Using prepared toolkits, reusable templates, coupled with dedicated RMF specialists, naval programs will have help to navigate the process and accelerate delivery of capability to operational fleet commanders. As more and more programs leverage the RMF Factory, consistent and standard package data will lower the barrier of entry to gaining enterprise understanding of security risk posture, and allow data-driven decision making.”
RMF Factory will be implemented using a phased, building block approach. Each phase is anticipated to incorporate process improvements and growth, and phases will be added as the team identifies additional objectives. Each phase will be approved by the oversight committee and executive sponsor.
Phase 1 was initially limited to a NAVWAR-approved pilot system registered in the Navy’s eMASS on the non-classified internet protocol router network (NIPRNet) domain that does not have a cross-domain solution and is seeking a reauthorization. Based on initial reception of the RMF Factory efforts, Phase 1 has been expanded to include any Navy system seeking a new ATO or reauthorization on either the NIPRNet or Secure Internet Protocol Router Network (SIPRNet) in eMASS.
The Phase 1 pilot will include products and services like a SharePoint site for Factory entry, exit, and status tracking, Power BI dashboard for progress analysis and the RAPS tool and associated training to provide a mixed, automated and GUI for RMF package quality auditing. A Phase 1 summary of actions, lessons learned and way ahead are expected later this summer.
“The RMF Factory and associated RAPS tool provide a consolidated approach for practitioners,” said Gwendolyn Converse, who used the RMF Factory during the Phase 1 pilot for the High Frequency Shipboard Automatic Link Establishment Radio System. “It takes the guess work out of the process specifically for Step 2. We knew exactly what would be reviewed and could address potential issues BEFORE they became findings.”
The team is preparing for Phase 2, which includes identifying additional pilot systems to demonstrate feasibility for Navy-wide adoption, aimed for fiscal year 2023.
Important to note, the RMF reform effort is a separate initiative which is not directly related to the Factory, but aims to take a systematic and data informed approach to moving from static three-year ATOs to continuous ATOs.
About NAVWAR
NAVWAR identifies, develops, delivers and sustains information warfighting capabilities and services that enable naval, joint, coalition and other national missions operating in warfighting domains from seabed to space and through cyberspace. NAVWAR consists of more than 11,000 civilian, active duty and reserve professionals located around the world.