How Standardizing RMF Will Create Value for the Military
Imagine you work at a manufacturing company. The company is divided into four separate divisions that produce different products, using the same equipment. The CEO develops a set of controls to make sure that each piece of equipment used in manufacturing products is safe and efficient.
One division decides to modernize its processes before the other three and gets its equipment approved through the developed controls. Then, as each of the other divisions begins their own upgrade, they discover they must follow the same time-consuming purchase process, despite the exact same machines already holding approval in another division. The result is lost time, profits and productivity.
This scenario is unrealistic. No organization would require each of its divisions to go through the same extensive approval process for the same exact equipment multiple times.
Yet, this is the situation the Department of Defense finds itself in with the Risk Management Framework (RMF)—an authorization process for cyber security procedures at the DoD and its four service branches. Each branch must get its systems certified under RMF, but in many cases another has already gone through the rigorous process with a system that contains the exact same components, duplicating work.
RMF was created by the National Institute of Standards and Technology (NIST) as a continuous process for assessing network security for the DoD. It plays an important role, offering a dynamic approach to security nearly a decade after the first relatively static cyber standards were introduced in 2006.
While the intent is to simplify approvals and ensure security, the process has become complicated by an inability to inherit controls already put in place across the service branches. For example, every branch of the military uses a predator drone, but they all have to go through the RMF process from beginning to end, even though it’s the exact same drone product being used.
It’s not because the DoD requires duplicative approvals across its branches—there is no rule in the RMF that says each branch needs to conduct their own process. The challenge is a result of siloed IT and cyber security functions across the different service branches.
This complicated and repetitive approach is avoidable. The government can look to industry partners as a guide to eliminating duplicative approval processes. Private sector organizations can help the military view RMF-approved systems holistically. Industry partners can—and should—search for components across the services that are already certified and build systems off of them.
The intent of NIST’s RMF program has always been to normalize processes across the services. If done correctly, this helps the Army, Navy, Air Force and Marines understand lessons learned throughout the DoD. A holistic approach that looks into approvals across the services will not only simplify the process and be more cost effective for the DoD, it will also standardize the way the defense community secures its most important systems.
Iron Bow’s experts understand the RMF guidelines and how to bring together the tools to satisfy those requirements for our clients. We stay on the cutting edge of technology and partner with companies who have automated the RMF processes, allowing for greater efficiencies so our DoD clients stay focused on the mission at hand.
For more information, visit the Iron Bow website.