Cybersecurity

Marine cyber chief: Do not fear RMF

room of computers

The government's Risk Management Framework is no different from the old certification and accreditation process, said Ray Letteer, chief of the Marine Corps' Cybersecurity Division.

"If we define what we are trying to do, I want to see if you've built a system in such a way and that we're going to operate the system in such a manner that is going to protect that information at the specific levels of safety," Letteer said at the Digital Government Institute's 930gov conference on Aug. 24.

He added that the framework is an evolution of the decades-old process of assessing risk and protecting data. And although RMF has expanded requirements, it seeks to automate as much of the process as possible to allow accreditors like Letteer to focus on the larger challenges rather than the day-to-day concerns.

He cited the example of the Defense Department using "comply-to-connect" solutions. When a new system or device is plugged into the network, it is isolated until an automated tool scans the device, loads necessary patches, sets up security protocols and then registers the system on the network.

Letteer said that as a test, a laptop from Best Buy was connected out of the box, and it took 45 seconds for the tool to update, secure and register the computer on the network.

"That's the vision of RMF; that's the vision of doing the automation we want to see...so I don't have to have somebody do brainless work," Letteer said. "I don't want a Marine running around with a CD. I want that approach done automatically."

In the past, accreditors came into the process far too late, he added. That could kill systems that were just about to deploy and waste time, energy and money.

He said information security systems engineers must be involved from the earliest design stages. They need to have input into how things are shaped to incorporate proper security, "so by the time it comes out to Milestone B, you're good to go," he added.

In addition, the Marine Corps has centralized its system accreditation process, so no one downstream can demand a different accreditation package, Letteer said.

He added that Marine Corps systems and devices must operate in multiple environments, including on the battlefield, and that means the RMF must ensure that systems deployed in the field meet the same requirements as those located in a secure room at a base.

Another challenge is helping people understand what constitutes a substantive security change that requires new or updated accreditation. He said in some cases, people submit accreditation packages for cosmetic changes -- such as changing the background color of an application window.

"Their heart was in the right place, but I had to say, 'Look, that's not how were going to do it,'" he said. "Unless it has a change to the security impact of the system...we don't go back in and start from ground zero and relook at everything again."

Letteer emphasized the need to streamline the risk management process and clearly communicate why it is important and how it ultimately supports combat operations and keeps people safe.

"Our responsibility in this environment is to find a way to say yes, but fight stupid," he said, referring to people's tendency to take shortcuts out of convenience.

Nevertheless, he emphasized that the RMF is more evolutionary that revolutionary.

"I still don't think things have fundamentally changed as to the ultimate requirement, and you need to keep that simple approach, that Zen approach to what you're trying to do," he said.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.