The Top 6 Immutable Rules of RMF
We still do not have a good universal understanding of the role of leadership and the basics of RMF to be successful against a growing threat in cyberspace
1. The Risk Management Framework (RMF) is risk-based, not threat-based.
What differentiates the National Institute of Standards and Technology (NIST)-created RMF from former cybersecurity frameworks is that its about identifying, mitigating, and monitoring risk throughout the life of the Information Technology (IT) system. There are still strong arguments to return to a threat-focused model; however, it is unlikely to happen. Furthermore, an understanding of the capabilities of threat motives and capabilities are still an inherent sub-component of RMF in the form of the Risk Assessment Report (RAR), other internal, and external reporting awareness critical to effective cybersecurity.
RMF is about time, money, and resources, and not necessarily about complete system security. The threat base—cyber-threats of many types and flavors– has grown so large, that the only way to stay engaged with the current reactionary responses is through a balance of a company or agency limited resources in a risk-based approach.
2. The Authorizing Official (AO) accepts all residual risk – both responsible and accountable
The AO is the boss over not just the system, but the network that resides internal to the respective organization’s firewall boundaries. The AO is regularly briefed (and should demand it) on the state of all security controls. The AO’s interest must lie with whether they are 1) active—ultimately met under RMF controls, 2) mitigated—the controls are being met, but by other indirect measures such as policies, training measures, etc., or 3) not met—the control cannot be met technically (or in some cases financially) by the organization. There is NO partial credit in assessments, and the AO should at least quarterly be apprised of the state of cybersecurity for all systems residing within the AO’s designated network boundary.
3. The AO and System Owner (SO) have a distinct supervisory connection to the system and each other
The relationship between the AO and SO should be that of first-line supervision; however, that may not always be possible. At most, it should not exceed second-line supervision in order to provide direct leadership control and responsibility of the system under RMF. The problem with many organizations is that there is no direct connection between these two critical RMF positions. The AO needs to be able to influence the SO’s regular evaluation process to ensure a focus on cybersecurity is complete and consistent.
4. The SO is responsible for the daily security measures of the system
The SO is the daily defender of the system. The SO’s role is to continually ensure all security measures are met, and the IT environment is monitored for changes. While the AO is looking across the environment strategically, the SO is the tactical “commander” who makes sure all security measures are in place and working.
5. It is not once and done…it’s continuous monitoring
At the core of RMF is Continuous Monitoring (ConMon). ConMon is the real foundation of the RMF. If you are not consistently monitoring the environment, you are not secure. For example, with the myriad of audit logs captured, they are seldom reviewed, and threats sparsely identified. Solutions like Smart Firewalls and Security Information Event Managers (SIEM) are first-generation solutions—but they are not enough. ConMon requires the active participation of cybersecurity professionals at all levels of the defense against potential cyber-attacks.
6. It is all about the leadership—Really!
Lastly, cybersecurity failures are not failures of the Chief Information Officer (CIO) or Chief Information Security Officer (CISO), but they are often the “sacrificial lambs” fired for a significant security breach. This mentality continues to contribute to cybersecurity failings where the community is leaving because of the lack of support and commitment from higher up to include the Chief Executive Officer (CEO) or Secretary of a federal agency. The responsibility and accountability must be centered at the highest senior of an organization, or cybersecurity breaches will continue without “pinning” accountability where it belongs.
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.
