In December of 2018, the National Institute of Standards and Technology (NIST) published an update for the Department of Defense (DoD) Risk Management Framework (RMF). NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy is an update for next-generation RMF.
This publication comes in response to Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” in addition to three OMB documents:
- OMB Circular A-130: Managing Information as a Strategic Resource
- OMB Memorandum M-17-25: Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
- OMB Memorandum M-19-03: Strengthening the Cybersecurity of Federal Agencies by Enhancing the High-Value Asset Program
With the publication of this revision, the NIST has taken its first step towards providing security and risk management with an integrated and flexible methodology. This is geared toward the improvement and simplification of RMF execution for organizations, allowing them to manage risk better while also increasing automation.
In this post, you’ll learn about these new updates and their impact.
What is the DoD RMF?
The DoD RMF defines the process for identifying, implementing, assessing and managing cybersecurity capabilities and services. The process is expressed as security controls. It also authorizes the operation of Information Systems (IS) and Platform Information Technology (PIT) systems. The RMF offers a risk-based approach to the application of cybersecurity while also supporting cybersecurity integration in the beginning and throughout the system’s life cycle. It also encourages reciprocity and continuous monitoring of systems.
In addition to the government using RMF as a strategy, those contracting with the DoD also have to meet certain standards.
Why did the DoD RMF need revisions?
In the summer of 2018, the DoD began to preview that revisions to the RMF were forthcoming. The catalyst for this change comes down to a shift away from just being compliant and focusing more on security. In an article published by MeriTalk, John Bergin (IT and Business System Reform Lead at the DOD) said, “If I’m doing continuous monitoring for real, which requires automation and technology, then I have less compliance workers because those people are no longer relevant in that conversation, which puts me in a place where we’re having stronger conversations with industry about the right people, and not about people.”
There has been constant conversation in the industry about the lack of cybersecurity talent, but what the DoD implied then and then confirmed with the revision is that it’s not about the number of people — automation can pick up this part. It’s about having the right people.
Objectives of the Revision
The revision identifies seven major objectives. Overall, these revisions look to address the privacy risk management process, not just cybersecurity protection from external threats.
- Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes and activities at the system and operational level of the organization.
What it means: This objective places more onus on leaders of an organization to be aware of and involved in cybersecurity.
- Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient and cost-effective execution of the RMF.
What it means: Risk management preparation should be part of the culture and foundation of an organization.
- Demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes.
What it means: Organizations should use both the cybersecurity framework and RMF in the creation of processes related to risk management.
- Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible.
What it means: Privacy is critical to managing risk and may not have been fully addressed prior to the revision.
- Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST SP 800-160 Volume 1, with the relevant tasks in the RMF.
What it means: In life cycle-based engineering processes, users should put a critical focus on security.
- Incorporate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code and poor manufacturing and development practices throughout the SDLC.
What it means: Supply chain vendors must be held to the same security standards as the organization using them.
- Allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53 Revision 5.
What it means: Align both organizational and traditional baseline control selection approaches for a more secure system.
The Prepare step: a deeper dive
For the Prepare objective identified above, the revision offers additional information about how to assimilate this step for a more successful, proficient security and privacy risk management process. The revision provides specific guidance on this step with these objectives:
- Facilitate effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level. Simply put, leaders and those actually executing on the processes must meet and talk regularly about cybersecurity topics
- Identify organization-wide common controls and the development of organizationally-tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection. With this objective, it’s about simplification of controls to decrease redundant or unnecessary work, ultimately saving dollars
- Reduce the complexity of the IT and operations technology (OT) infrastructure by using Enterprise Architecture concepts and models to consolidate, optimize and standardize organizational systems, applications and services. Infrastructures do not have to be complex to be effective; in fact, that can be a detriment
- Minimize the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk. If there are tasks that don’t relate to security and privacy, then they should be removed
- Find, prioritize, and focus resources on the organization’s high-value assets (HVA) that require increased levels of protection — taking measures commensurate with the risk to such assets. Thus, the more valuable an asset, the greater its protection should be because it’s also exposed to more risk
DoD RMF Revision impact on private industry
For any government vendor, this update stands as a new direction for best practices to follow. The importance to the private sector to implement these new practices is in direct relation to the fact that adversaries have been using the supply chain as a way to penetrate government systems. With the NIST SP 800-37, a list of tips has been included to help with implementation:
- Use the tasks and outputs of the organization-level and system-level “prepare” step to promote a consistent starting point within organizations to execute the RMF
- Maximize the use of common controls to promote standardized, consistent and cost-effective security and privacy capability inheritance
- Expand the use of shared or cloud-based systems, services and applications where applicable, to reduce the number of organizational authorizations
- Employ organizationally tailored control baselines to increase the speed of security and privacy plan development, promote consistency of security and privacy plan content and address organization-wide threats
- Employ organization-defined controls based on security and privacy requirements generated from a systems security engineering process
- Increase the use of automated tools to manage security categorization; control selection, assessment and monitoring; and the authorization process
- Decrease the level of effort and resource expenditures for low-impact systems if those systems cannot adversely affect higher-impact systems through system connections
- Include RMF artifacts (e.g., security and privacy assessment results) for standardized hardware/software deployments, including configuration settings
- Reduce the complexity of the IT/OT infrastructure by eliminating unnecessary systems, system elements and services — employ least functionality principle
- Make the transition to ongoing authorization and use continuous monitoring approaches to reduce the cost and increase the efficiency of security and privacy programs
Key Takeaways for Private Industry
For any private industry contracting with government agencies, you should review all the new objectives and use the tips and advice provided on how to implement them. Further, the preparation step should be a top focus. While establishing these new processes will be of great importance for your continued compliance as a government vendor, you should also find other benefits that improve and strengthen your cybersecurity while possibly decreasing overall costs associated with it.
It’s critical that your technology professionals understand the DoD RMF and attend training to master the DoD authorization process and have a complete understanding of the RFM.
- Risk Management Framework Update: NIST Publishes SP 800-37 Revision 2, NIST
- Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST
- CIRCULAR NO. A-130, whitehouse.gov
- M-17-25 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES, whitehouse.gov
- M-19-03 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES, whitehouse.gov
- DoD’s Bergin: New RMF Due End of Summer, Will Revamp Cyber Worker Roles, MeriTalk
- Cybersecurity Framework, NIST
- Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, NIST
- Security and Privacy Controls for Information Systems and Organizations, NIST