RMF: New Cybersecurity Protocol Ahead at NAVAIR

“Don’t overthink this,” said Darryl Allen, deputy CIO for cybersecurity and information assurance, at an August 16 Patuxent Partnership briefing as he discussed NAVAIR’s transition from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF).

As threats become increasingly sophisticated, persistent, and diverse, US Navy personnel, processes, and systems must increase vigilance and capability to halt unauthorized access, malicious attacks and denial of service, especially with respect to the Navy’s aviation and weapon systems.

It’s easy to see why the shift from DIACAP to RMF would send cybersecurity compliance officers into deep think mode. RMF, developed by the National Institute of Standards and Technology (NIST), directs the management of organizational risk through the selection and specification of security controls for information systems. This is accomplished as part of an organization-wide information security program that assesses and contains the risk to the organization or to individuals associated with the operation of an information system. With RMF, the risk-based approach to security control selection and specification, considers effectiveness, efficiency and constraints imposed by applicable laws, directives, executive orders, policies, standards or regulations.  In sum, it’s a multi-dimensional approach that’s vertical and horizontal at the same time.

Mr. Allen cautioned his listeners not to get too deeply into the weeds in conceptualizing their organizations’ response to the RMF switch, as there will be a learning curve and administrative authority chains are still being discussed and fine-tuned. There are six distinct steps to the RMF process, and he noted that often there is substantial concern with Step One: Categorizing your information system.

That step can be completed by using an impact analysis to review the information your system processes, stores and transmits. With that analysis in hand (and this is the part where Mr. Allen says momentum can stall because of “trying to get to perfection”), your transition team can move to Step 2, the selection of an initial set of baseline security controls for your information system.

Then comes the testing, re-testing and launches. Step 3 calls for implementing the security controls and documenting how the controls are deployed. In Step 4, the controls are assessed for correct operation and outcomes. Step 5 authorizes the system’s operation based on understanding and acceptance of an acceptable level of risk. Step 6 is the monitoring function, which is extensive and continuous.

Mr. Allen said NAVAIR will have a designated Functional Authorizing Official and a Functional Security Control Assessor to assess and authorize NAVAIR’s Platform IT and RDT&E system. Authorization protocols continue to be discussed and developed. “We’re not yet happy with where we are on that,” Mr. Allen said.  The continuous monitoring of security controls should help preclude repeated requests for authorization, he said.

For contractors, Mr. Allen said the goal is a flat system in which documentation can move back and forth between the contractor and the military client expeditiously and fluidly. The last day of DIACAP for NAVAIR, and transitioning to RMF, is anticipated for sometime this fall.

The Patuxent Partnership works with government, industry and academia on programs and initiatives designed to support workforce development in Science, Technology, Engineering and Mathematics (STEM), host programs of interest to the Navy and the broader community and supports research and technology development.

To learn more about The Patuxent Partnership and its programs, visit its Leader member page.