Defense Department unveils initial Request for Information aimed at revamping risk management structure
The Defense Department (DoD) has announced plans to reform its Risk Management Framework (RMF) in a bid to make it more agile, efficient, and effective in the face of evolving cybersecurity threats. The reform aims to reduce redundancies, improve cybersecurity resilience, and accelerate the deployment of secure technologies across DoD systems.
Katie Arrington, the DoD's acting Chief Information Officer, stated that the reform will address long-standing challenges in the RMF, cutting unnecessary duplication and making the process more adaptive to today's fast-evolving cybersecurity environment. The initiative reflects the DoD's commitment to a more agile and resilient risk management approach that balances security rigor with operational speed and efficiency.
The DoD's Notional Construct, outlined in a recent Request for Information (RFI), outlines security controls from RMF and NIST Special Publication 800-53 under a slimmer approach with five phases: design, building, testing, onboarding, and operations. The reform is expected to focus on the way the DoD implements RMF, not on a wholesale replacement of the framework itself.
Rob Vietmeyer, the DoD's chief software officer, suggested that the reimagined process could make heavy use of automation and inheritance to ensure appropriate security controls are adopted and implemented continuously. Dedicated platform teams are responsible for the cyber posture of DoD platforms in the DevSecOps pipeline, with security and secure operations automatically inherited by applications on top of DoD platforms.
Cloud providers are accountable for maintaining a lot of the controls in the DevSecOps pipeline, and the pipeline allows for the inheritance of a significant portion of needed controls. Gateways in the DevSecOps pipeline ensure that software or systems have passed security testing and controls before deployment.
Last year, about 40,000 Common Vulnerabilities and Exposures (CVEs) were reported, representing a 38% increase from the previous year. The reform will reimagine cyber risk management and move towards a culture, mindset, and process that operates more quickly and accurately.
The Defense Department has issued a call to industry to gather feedback on how to enhance cybersecurity resilience, accelerate the deployment of secure technologies, and improve the efficiency of risk assessment across DoD systems. The reform is expected to improve reciprocity of system authorization among federal agencies, integrating enterprise-wide decision-making, and harnessing innovative solutions to safeguard defense systems more effectively.
[1] Defense Department Issues Call to Industry to Reform Risk Management Framework for Cybersecurity (2022, March 1) - https://www.defense.gov/Newsroom/Contracts/Contract-View/Article/2783085/ [3] DoD to Modernize Risk Management Framework for Cybersecurity (2022, March 1) - https://www.meriTV.com/defense/dod-to-modernize-risk-management-framework-for-cybersecurity/ [5] DoD to Reform Risk Management Framework for Cybersecurity (2022, March 1) - https://www.military.com/daily-news/2022/03/01/dod-reform-risk-management-framework-cybersecurity.html
Katie Arrington, the DoD's acting Chief Information Officer, stated that the reform will focus on implementing more agile cybersecurity measures through technology. The initiative aims to reduce redundancies and improve cybersecurity resilience, with a focus on automation and inheritance to continuously adopt appropriate security controls.
Rob Vietmeyer, the DoD's chief software officer, suggested that the reimagined process will leverage technology, particularly in DevSecOps pipeline, to ensure software or systems pass security testing before deployment. The reform also aims to harness innovative solutions to strengthen the defense systems' cybersecurity.
