Cybersecurity

Marine cyber chief: Do not fear RMF

room of computers

The government's Risk Management Framework is no different from the old certification and accreditation process, said Ray Letteer, chief of the Marine Corps' Cybersecurity Division.

"If we define what we are trying to do, I want to see if you've built a system in such a way and that we're going to operate the system in such a manner that is going to protect that information at the specific levels of safety," Letteer said at the Digital Government Institute's 930gov conference on Aug. 24.

He added that the framework is an evolution of the decades-old process of assessing risk and protecting data. And although RMF has expanded requirements, it seeks to automate as much of the process as possible to allow accreditors like Letteer to focus on the larger challenges rather than the day-to-day concerns.

He cited the example of the Defense Department using "comply-to-connect" solutions. When a new system or device is plugged into the network, it is isolated until an automated tool scans the device, loads necessary patches, sets up security protocols and then registers the system on the network.

Letteer said that as a test, a laptop from Best Buy was connected out of the box, and it took 45 seconds for the tool to update, secure and register the computer on the network.

"That's the vision of RMF; that's the vision of doing the automation we want to see...so I don't have to have somebody do brainless work," Letteer said. "I don't want a Marine running around with a CD. I want that approach done automatically."

In the past, accreditors came into the process far too late, he added. That could kill systems that were just about to deploy and waste time, energy and money.

He said information security systems engineers must be involved from the earliest design stages. They need to have input into how things are shaped to incorporate proper security, "so by the time it comes out to Milestone B, you're good to go," he added.

In addition, the Marine Corps has centralized its system accreditation process, so no one downstream can demand a different accreditation package, Letteer said.

He added that Marine Corps systems and devices must operate in multiple environments, including on the battlefield, and that means the RMF must ensure that systems deployed in the field meet the same requirements as those located in a secure room at a base.

Another challenge is helping people understand what constitutes a substantive security change that requires new or updated accreditation. He said in some cases, people submit accreditation packages for cosmetic changes -- such as changing the background color of an application window.

"Their heart was in the right place, but I had to say, 'Look, that's not how were going to do it,'" he said. "Unless it has a change to the security impact of the system...we don't go back in and start from ground zero and relook at everything again."

Letteer emphasized the need to streamline the risk management process and clearly communicate why it is important and how it ultimately supports combat operations and keeps people safe.

"Our responsibility in this environment is to find a way to say yes, but fight stupid," he said, referring to people's tendency to take shortcuts out of convenience.

Nevertheless, he emphasized that the RMF is more evolutionary that revolutionary.

"I still don't think things have fundamentally changed as to the ultimate requirement, and you need to keep that simple approach, that Zen approach to what you're trying to do," he said.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.