PROPOSAL: A Federated Cybersecurity Domain as a matter of US Policy
What if the Risk Management Framework (RMF) applied to both the public and private sector ?
SUMMARY
This policy proposal outlines a fundamental change in the overall direction and application of cybersecurity protections for the United States (US). Through the Risk Management Framework (RMF) currently implemented throughout the Federal Government, RMF will be expanded to address the increased need for a greater US cyber-security posture. RMF, formulated by National Institute of Standards and Technology (NIST), Special Publication 800-37, will become the standard to protect most of the US’s vital Information Technology (IT) infrastructures.
RMF will implement and expand the concept of Continuous Monitoring (CM) that will ensure that both humans and automated methods are providing real-time protection to our nations’ networks and systems. Further, the recommendations proposed will also attempt to reduce resource, manpower, and dollar costs.
THE PROPOSAL
RMF is a well-established structure to protect the US and its citizens from cyber-assault. NIST has spent years formulating the concepts, principles, and implementation policies in a well-constructed and widely distributed form to the general public. By adhering to NIST SP 800-37, it will form the foundation of enhancing the US’s overall cybersecurity posture against both internal and external cyber-threats.
The scope of this proposal (see Chart 1) will be mandatory for all government agencies at all levels, it includes the Defense Industrial Base (DIB), and legislatively identified aspects of the US’s Critical Infrastructure (CI); this will form a defined body to be called the “Federated Cybersecurity Domain (FCD).” The applicability of RMF will further extend to those private businesses seeking to provide goods and services to the government. However, private industry not seeking any business relationship with government will be encouraged to participate in this standard.
The scope of this proposal applies to the FCD. This specifically includes the DIB because of its regular and continuous work with Department of Defense (DOD) in matters of national and international security. CI is identified as well since protecting potentially vulnerable IT Supervisory Control and Data Acquisition (SCADA) systems from technical manipulation is important. Any adverse actions against US CI has a direct impact to national security especially in its potential effects on the health, safety, and welfare of US citizens.
Those businesses not desiring to conduct trade with any level of government will not be required to participate in the RMF implementation; however, the federal government will provide technical assistance to businesses requesting assistance in securing their equipment and networks. The Department of Homeland Security (DHS) will provide outreach programs to assist businesses and private citizens at no cost.
Further, individual citizens are not required to participate in order to limit the scope of this initial phase of a US-wide RMF implementation. This policy is intended to harden critical systems to ensure the security of the US. Future versions of this law may expand to include this under-served area.
Additionally, US citizens will be provided positive incentives to comply with this policy. Tax breaks, access to technical expertise, and other incentives will include discounts for “Cyber-Security Safe” hardware and software items certified by the National Information Assurance Partnership (NIAP); NIAP has had a long history in identifying and classifying the level of security for IT hardware components. Under this policy, NIAP will expand its role specific to “cyber-security-capable”software products as well.
The value of implementing RMF is that it is widely used throughout the federal government today, has been thoroughly established with a large number of support documents, and can readily be shared and implemented with the private sector. This policy will mandate CM, and establish standards for both the automated and human control and countermeasures to ensure the cyber-posture of public and private organizations; standards, such as RMF, provide a critical commonality of terms and implementation rules that assure and enhance system and network security.
Why Assessment & Authorization (A&A) is desirable and what should it accomplish?
Why pursue the expansion of RMF cyber-security standards across the US’s IT architectures and systems? Recent intrusions into critical federal systems point to the ever agile and highly impactful effects of cyber-threats worldwide. Recent reports of the voluminous amounts of personal data exfiltrated from the Office of Personnel Management (OPM), and intrusions into seemingly highly protected networks of the DOD, highlight the immediate need for change. “For nearly a week, some 4,000 key military and civilian personnel working for the Joint Chiefs of Staff have lost access to their unclassified email after what is now believed to be an intrusion into the critical Pentagon server that handles that email network…” (Starr, 2015).The need to implement the RMF A&A process for the US is vitally critical if the presumably most secure systems within the federal government can be readily infiltrated.
The expansion of RMF across much of the US’s infrastructure will continue to meet standing laws to include the Federal Information Security Management Act (FISMA). FISMA was developed to reduce the effectiveness, in part, of cyber-attacks. RMF will continue to align with FISMA and other cyber-security related laws to provide a needed method to enhance oversight of information security applications, systems, and networks. FISMA explicitly seeks to “…provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets” (US Government, 2002).
Finally, any expansion of RMF will integrate more closely with the acquisition lifecycle. For example, “testing” of cybersecurity at the hardware, software or even coding levels must ensure that security testing occurs at all phases of the lifecycle process. Classically, developers of capabilities for the private sector have focused on desired and marketable functionalities for obvious economic reasons. This policy further requires that industry and government best practices include automated cybersecurity tools and manual scanning practices at all points of the system or software lifecycle process.
POTENTIAL PITFALLS
There are many pitfalls in proscribing any standard especially within the highly volatile environment of cyber-space. One such pitfall is becoming too highly rigid in how best to mitigate and affect countermeasures against threats. The danger of any standard is that may not minimize a threat action and further restricts other more capable and creative mitigation approaches to be implemented.
Another pitfall is avoiding the creation of excessive mandatory policies that introduce increased costs and resource demands for implementation. For example, this occurred in DOD through growing taskings directed by the newly established US Cybercommand. It has continued to create increased resource requirements on limited DOD agencies with no additional dollars to counter more dramatic and evolving intrusions within DOD itself.
While these are only two examples of potential dangers, the need to continuously reassess such risks must be part of a continuous and programmatic approach to implementing this policy. It is critical to regularly review the issues and risks facing this comprehensive implementation.
RESOURCES
It is difficult to estimate the amount of resources needed to protect any agency or business. The cost can vary widely based on an agencies’ current susceptibility, the relative value of its stored data, etc. An analysis formulated by IT consulting company, Executech, stated“[w]hile the answer will vary, depending on the type of business—not to mention the relative optimism of its owners– a useful baseline: some $57,600 a year for a 50-employee company” (Clark, 2014 ). This will be the baseline cost factor for all elements of the FCD and form the initial cost estimates.
Members of the FCD will be required to identify a central funding line for their cyber-security measures. This will assist in refining resource baselines and help identify overall costs. Central funding lines will also be further sub-categorized for tracking cyber-security professional development costs in order to identify current and future IT expertise needs and demands.
This approach to resourcing provides a means to establish mandatory metrics and comports with federal requirements for measurable activities to reduce any undue waste, fraud, or abuse that may occur due to the implementation of this policy. The centralization and specific categorization of costs provides a means to create baselines and establish standards that can be better refined for future execution of this policy.
CONCLUSION
This policy provides the necessary and standardized implementation of a common A&A process across a wide-ranging area of the US’s public and private IT infrastructures. It creates a real-time monitoring emphasis and capability through the technological implementation of CM. This proposal creates the right environment for all members of the FCD to participate in a manner that does not overburden its people and financial resources. This initiative should be implemented as soon as possible in a rapid and creative manner as proposed.
REFERENCES
Clark, P. (2014 , October 31 ). The Bill for Cybersecurity: $57,600 a Year. Retrieved from Bloomberg Business: http://www.bloomberg.com/bw/articles/2014-10-31/cybersecurity-how-much-should-it-cost-your-small-business
Department of Homeland Security. (2015, August 26). Defense Industrial Base Sector. Retrieved from DHS.gov: http://www.dhs.gov/defense-industrial-base-sector
DOD CIO-A. (2014, March 14). Cybersecurity. Retrieved from DTIC.mil: http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf
DOD CIO-B. (2014, March 12). Risk Management Framework(RMF) for DoD Information Technology (IT). Retrieved from DTIC.mil: http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf
Musa, S. (2014, November 11). Cybersecurity: Assessment and Authorization. Retrieved from The Evolllution: http://evolllution.com/opinions/cybersecurity-assessment-authorization/
NIST. (2013, May). Glossary of Key Information Security Terms. Retrieved from National Institute of Standards and Technology(NIST): http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
NIST. (2015, May 12). NIST General Information. Retrieved from NIST.gov: http://www.nist.gov/public_affairs/general_information.cfm
Personnel and Readiness Information Management (OSD). (2011,June 29). Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). Retrieved from Personnel and Readiness Information Management (OSD): http://www.prim.osd.mil/Documents/DIACAP_Slick_Sheet.pdf
SearchCompliance. (2014, February). NIAP Definition.Retrieved from Search Compliance: http://searchcompliance.techtarget.com/definition/National-Information-Assurance-Partnership-NIAP
Silverberg, D. (2015, February 3). Cytegic monitors cyber-security threats in real-time. Retrieved from B2B News Network:http://www.b2bnn.com/2015/02/cytegic-monitors-cyber-security-threats-real-time/
Starr, B. (2015, July 31). Military still dealing with cyberattack ‘mess’. Retrieved from CNN.com: http://www.cnn.com/2015/07/31/politics/defense-department-computer-intrusion-email-server/
Threat Track. (2015). Enterprise Executives and Consumers Lack Confidence About Cybersecurity. Retrieved from Threat Track Security: http://www.threattracksecurity.com/resources/white-papers/executives-and-consumers-lack-confidence-in-cybersecurity.aspx
US Government. (2002). Federal Information Security Management Act of 2002 (44 U.S.C. §§ 3541-3549). Retrieved from NIST: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.