The Department of Defense’s (DoD) Acting Chief Information Officer (CIO) Katie Arrington has publicized her goal of “blowing up” the Risk Management Framework (RMF), but what does that actually mean?
The RMF implements the Federal Information Security Modernization Act (FISMA) and ensures compliance with the National Institute of Standards and Technology (NIST) SP 800-53 guidelines – which are essential for maintaining cybersecurity standards.
Rob Vietmeyer, the chief software officer at the DoD, explained today that when his boss talks about “blowing up” the RMF, she’s talking about moving from a process that is compliance-focused to a real-time cyber posture.
“I think part of the confusion is when we say, ‘blow up RMF,’ it doesn’t necessarily mean that the FISMA law or that the controls in 800-53 are broken,” Vietmeyer said on June 17 during Federal News Network’s Cloud Exchange.
“I think what we can say is that our implementation in the department today impedes innovation. It burdens our workforce. It’s really difficult to scale,” he added. “It’s kind of this archaic paper-driven, compliance-first type of approach that is a lot of overhead and slow to adapt to the modern environment.”
Vietmeyer said that the department is still nailing down the specifics on how it plans to blow up the RMF, saying, “There will be more coming out from the department soon on what this really looks like.”
He added that DoD Chief Information Security Officer (CISO) David McKeown is hosting meetings with his counterparts, and they’re currently looking to come up with some recommendations.
Nevertheless, Vietmeyer offered his own insights into what he thinks the future RMF will look like, explaining that the current cyber environment is changing “at an exponential rate.”
Last year alone, he said there were about 40,000 new Common Vulnerabilities and Exposures (CVE) – a 38 percent increase from the previous year.
“If you’re not in a highly dynamic real-time cyber postural environment that can respond to that level of speed … you’re going to fall behind, right? You’re going to be vulnerable to your adversaries,” Vietmeyer said.
“So, when we look at … the problem, in my opinion, [of] the implementation being paper-driven, one-time sort of assessments, and sort of slow to pull in more modern approaches, I think that’s what we want to blow up, right? It’s really the implementation and how it works today,” he said.
Moving forward, he is recommending having applications that can automatically inherit security operations automatically. Additionally, he stressed the need to automate the RMF controls.
“Whether you call it continuous monitoring or automation, build those into the pipelines. Build the approval processes into the pipeline itself so that our cybersecurity RMF professionals … are monitoring the cyber posture of the applications that are coming through,” Vietmeyer said.
“We’re in a position now where we can provide a lot of the underlying capabilities as inheritable controls and inheritable platforms that could really, as folks migrate into those environments, could really move forward much faster,” he added.
Similar to the RMF overhaul, Vietmeyer said that he is currently working through the over 400 responses to three request for information (RFIs) regarding the Software Fast Track (SWFT) framework. He said he is “about three-quarters of the way through those” responses.
“I’m just really impressed with the responses that industry has given us,” he said. “They really took it to heart, understood the problems that we’re trying to get after, and have been really positive in saying, ‘Hey, we’re there. This is what we’ve learned. Here’s some of the challenges. Here’s where we’re going,” or ‘Hey, we have tools that are available that can do these parts of this problem.’ A lot of great advice is coming through there.”
Additionally, Vietmeyer said that “every response” he has read so far has talked about the use of a software bill of materials (SBOM) or how they have tooling to support the creation of SBOMs.
“I’m really looking forward to the next step. So, I have a couple more weeks to get through those RFIs,” he said. “We are engaged in conversations, both with folks inside and outside the department that are working in this space to help refine what that approach will be. So, stand by, I think you’ll see a lot of really interesting capabilities coming out of us. So, I’m really, really excited about how SWFT [and RMF] will evolve.”