Marine cyber chief: Do not fear RMF

room of computers

The government's Risk Management Framework is no different from the old certification and accreditation process, said Ray Letteer, chief of the Marine Corps' Cybersecurity Division.

"If we define what we are trying to do, I want to see if you've built a system in such a way and that we're going to operate the system in such a manner that is going to protect that information at the specific levels of safety," Letteer said at the Digital Government Institute's 930gov conference on Aug. 24.

He added that the framework is an evolution of the decades-old process of assessing risk and protecting data. And although RMF has expanded requirements, it seeks to automate as much of the process as possible to allow accreditors like Letteer to focus on the larger challenges rather than the day-to-day concerns.

He cited the example of the Defense Department using "comply-to-connect" solutions. When a new system or device is plugged into the network, it is isolated until an automated tool scans the device, loads necessary patches, sets up security protocols and then registers the system on the network.

Letteer said that as a test, a laptop from Best Buy was connected out of the box, and it took 45 seconds for the tool to update, secure and register the computer on the network.

"That's the vision of RMF; that's the vision of doing the automation we want to I don't have to have somebody do brainless work," Letteer said. "I don't want a Marine running around with a CD. I want that approach done automatically."

In the past, accreditors came into the process far too late, he added. That could kill systems that were just about to deploy and waste time, energy and money.

He said information security systems engineers must be involved from the earliest design stages. They need to have input into how things are shaped to incorporate proper security, "so by the time it comes out to Milestone B, you're good to go," he added.

In addition, the Marine Corps has centralized its system accreditation process, so no one downstream can demand a different accreditation package, Letteer said.

He added that Marine Corps systems and devices must operate in multiple environments, including on the battlefield, and that means the RMF must ensure that systems deployed in the field meet the same requirements as those located in a secure room at a base.

Another challenge is helping people understand what constitutes a substantive security change that requires new or updated accreditation. He said in some cases, people submit accreditation packages for cosmetic changes -- such as changing the background color of an application window.

"Their heart was in the right place, but I had to say, 'Look, that's not how were going to do it,'" he said. "Unless it has a change to the security impact of the system...we don't go back in and start from ground zero and relook at everything again."

Letteer emphasized the need to streamline the risk management process and clearly communicate why it is important and how it ultimately supports combat operations and keeps people safe.

"Our responsibility in this environment is to find a way to say yes, but fight stupid," he said, referring to people's tendency to take shortcuts out of convenience.

Nevertheless, he emphasized that the RMF is more evolutionary that revolutionary.

"I still don't think things have fundamentally changed as to the ultimate requirement, and you need to keep that simple approach, that Zen approach to what you're trying to do," he said.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.