A Need for Better Cybersecurity Time Management

Connect--But, be very careful

Some Suggestions for the Department of Defense


A Hybrid-Risk Management Framework (RMF) Step 3

A challenge facing the Department of Defense (DOD) is the allocation of time and coordination to properly execute Step 3, the Implementation of Security Controls, of the Risk Management Framework (RMF).  In Step 3, the cybersecurity team is to work with the developers to ensure all security controls identified in Step 2 are applied.  The challenge continues to be Program Managers (PM) are not scheduling adequate time to conduct the RMF this phase. In the past, under the DoD Information Assurance Certification and Accreditation Process (DIACAP), the process has taken typically 6 months to receive an Authority to Operate (ATO).  The current allocation of three to four weeks continues to force cybersecurity to conduct document-only reviews, and not the required assessments, interviews, and testing of systems to provide a complete picture of the security posture of a target system.  At least two (2) months is required to adequately complete this “step” of the process adequately.

While the expectation is that the developer or developers will conduct their own preliminary security scans and fixes to the target software, it has unfortunately resulted in an inconsistent implementation of secure software delivery to the government.  This has included numerous and severe vulnerability findings that have neither been corrected nor mitigated prior to delivery.

 

A Hybrid Step 3:  Suggested Entry Point

The recommended “workaround” is to leverage time for the cybersecurity validator team and developers during the Functional Qualification Testing (FQT)period.  Having the security controls(Step 2) approved prior to implementation is preferred; however, earlier entry can still occur without impacting the intent of this solution. 

This is an opportune time for security scans to be locally conducted and reviewed.  While the code is at the developer’s site, the cybersecurity team can review onsite scans, identify high impact vulnerabilities
 (Category I) findings, and assist the developers in better understanding the RMF control process.

 

What is needed to be effective? 

Assumptions:

  • The code is locked-down and the Program Manager has approved the current stable baseline.
  • The Preliminary Design Review/Critical Design Review (PDR/CDR) is completed and approved.
  • The system is categorized (Step 1), the security controls are selected (Step 2), and the designated Authorizing Official (AO) has approved these Steps.
  • The packet has been initiated in eMASS.

Hybrid-Step 3 Site Visit Requirements to the developer’s location:

  • Cybersecurity Assessors:
    • Access to vulnerability scans and configuration scans (automated and manual) on Day 1.
    • Non-disclosure Agreements (NDA) to protect parties and Intellectual Property rights, as required.
    • Train and assist the developers in formulating business cases (mitigation strategies) to address how to either correct or mitigate technical security controls. Provide training as requested as part of the visit.
    • Provide the developers with an understanding of vulnerabilities that may be correctable or requiring Risk Acceptance (RA); this provides preliminary information so cybersecurity can be preparing an RA or waiver action.
  • Developers:
    • Be prepared to provide scan results (formalized meeting and presentation) to the Assessors on Day 1.
    • Require developer software engineer representation that can answer questions about technical issues preventing the developer from meeting NIST 800-53 control requirements.

Conclusion

In order for this solution to be effective, it will require government support and approval to include the backing of the respective Contract Officers’ Representative (COR).

 

The overall intent is to create a mechanism to conduct preliminary security assessments of software to ensure its compliance with DOD and NIST directives and policies. This will provide a needed preliminary status to formal cybersecurity testing in conjunction or separately with government developmental testing and approval.


Related Article

https://cybersentinel.tech/2018/08/15/is-agile-cybersecurity-possible/