As the deadline to switch to Risk Management Framework (RMF) approaches, many realize they are not prepared. The slightest deviation from RMF’s six step process leaves a system -and the sensitive information it contains- vulnerable to attack.
Several challenges have surfaced since the beginning of the transition to RMF, leaving IT managers to find and solve the issues for their systems. If you’re involved with the shift to RMF, here are the top five obstacles to avoid as you make your own successful switch to RMF.
Why change from DIACAP?
Other than the requirement to change, there are a few important reasons for the transformation to RMF. When the DoD Information Assurance Certification and Accreditation Process (DIACAP) was introduced in 2007, it was the first to provide a web-based support portal for the Certification and Accreditation (C&A) process. While it was an improvement, the Department of Defense (DoD) was the only one to use DIACAP, which caused interconnectivity difficulties with the various systems used by rest of the Federal Government and Intelligence Community (IC).
- A standard control set used by all of the Federal Government
- Continuous monitoring of security activities
- Improved system categorization process
- Assessment and Authorization (A&A)
Planning for RMF
First, you must develop the right mentality about RMF. With limited resources and very little time to understand and implement RMF, this task can be rather daunting. However, the transition is not impossible, and there are a few steps you can take to help make the change a little easier for yourself.
To help plan your RMF transition, you should set up a kick-off meeting with all relevant stakeholders including Systems Administrators, Project Leads, Information Systems Security Officer (ISSOs), Information Assurance (IA) personnel and anyone else involved with the move to RMF. This meeting will help you understand what tasks need to be accomplished and by whom.
Number of Controls
One major change that impacts your move to RMF includes the significant increase in the amount of security controls, which requires you to put more focus into the security control selection and implementation steps.
Since RMF uses a new security categorization process based on confidentiality, integrity and availability (CIA), there is not a one-to-one correlation with the controls or control families. Even so, the number of controls for a system ranked high in all three categories can be compared to a DIACAP MAC1 Classified. In this case, DIACAP is composed of 110 IA controls and 173 Validation procedures, while RMF has 950 security controls and 2769 Validation procedures.
This new framework primarily breaks down the same security requirements into more basic sections that can alleviate risk in more detail. In comparison to DIACAP, RMF controls address emerging technology including remote access, continuous monitoring and wireless access. Therefore, a system that does not contain all of the necessary RMF controls will create a weakness in its cybersecurity defense on the new technology front.
DIACAP Accreditation to RMF Authorization
Changing from DIACAP’s Certification and Accreditation (C&A) to RMF’s Assessment and Authorization (A&A) not only clarified the process to obtain approval for a system, but it also developed a new mindset for cybersecurity professionals.
The accreditation to authorization change from C&A to A&A reinforces the idea that security is stronger when it is built into the system during the early development phase. Unlike DIACAP, security controls are built to the system in the beginning steps for RMF, and many know this as “baked in, not bolted on.” In order to achieve this goal, the essential steps and tasks from DIACAP have been reordered for an earlier focus on security.
In addition, the first step in the C&A process is to have security professionals assess the system and provide recommendations. Then, a Designated Accrediting Authority (DAA) would sign for authorization of a system to remain or go live. Therefore, this process was renamed in RMF to Assessment and Authorization for a more accurate description of the process.
Adding security controls in the beginning of the Software Development Life Cycle (SDLC) produces a system that supports the management of risk more efficiently. Under DIACAP, the system and security controls are not able to integrate as effectively, and this results in increased exposure to cyber attacks.
Defining adequate controls for your system can be problematic. Having too few controls will leave your system susceptible to cyber attacks, but having too many controls will waste valuable resources.
The first step in deciding the best controls is to categorize your system, and this is based on the CIA security categorization. Next, you will choose an initial, tailored baseline of security controls, which can be accomplished by applying scoping guidance, parameterization and compensating control guidance. You will also be supplementing the baseline with updated and fitted security controls and adding any additional controls or control enhancements if necessary. This process will ensure your system is meeting the updated minimum assurance requirements and addressing the unique needs for your system based on risk assessment.
Finally, having outdated documentation for your system will make your transition to RMF increasingly difficult. Therefore, you will want to make sure that you have the following items updated:
- Standard Operating Procedures (SOP)
- Contingency Plan (CP)
- Incident Response Plan (IRP)
- Configuration Management Plan (CMP)
- Network Diagrams
- Hardware and software lists
- Ports, Protocols, and Services Management (PPSM)
Once these items are up to date with the correct signatures, it is a good idea to regularly revise your documentation for any changes. Furthermore, the language of your documentation will have to be translated from DIACAP to RMF. This also means understanding the different control sets used by each of the security frameworks.
Time for Transition
With time running out, the pressure is on to quickly understand and implement RMF, but it is essential to remember that this is not a direct transition. The Information System (IS) will move into a continuous monitoring phase rather than the current accreditation process. This means that you will no longer have to wait until the expiration of your accreditation and go through this process again to reapply. Instead, it will be an ongoing process for authorization.
Not an expert in RMF? That’s okay. At Rivera Group, let our experience guide you through the transition and help ensure that your system is ready to defend your sensitive information from any cyber attacks. To learn more about Rivera Group and our RMF services, leave a comment below or contact us.