For 16 years, I have been working with the federal government. And in that time, nothing has ever happened efficiently. It’s not that the government’s regulations and laws aren’t well thought out. The problem is the people responsible for interpreting the laws and regulations. Quite often they’re construed in a way that best suits the interpreters and their success.
In my experience, the Department of Defense’s (DoD) authorization process takes 12 to 18 months on average, which is far too long. The software development process continues to advance, but the system is lost somewhere in the abyss that is the authorization process. I’ve seen instances where the operating system became obsolete during the authorization period, and the DoD’s customer is stuck signing off on an unsupported vendor product. Much of the hold-up is due to a huge rift between the policy’s intent and how it’s actually interpreted.
But what does all this have to do with the DoD IT Risk Management Framework? As the armed forces enact the RMF, it’s crucial that they stay true to its intent, especially when it comes to the following.
- Risk Management. The RMF process as documented by the National Institutes of Standards and Technology (NIST) is a proven and effective methodology in identifying, mitigating, remediating, accepting and managing risk in an organization. It’s not a rigid, bean-counting process for refusing to allow systems to store, transmit or process information if a high-risk vulnerability is identified.
- Agility. Today’s systems are constantly evolving and continuous monitoring is crucial. The armed forces need to quickly identify vulnerabilities in our infrastructure and efficiently manage them with remediating, mitigating or increased monitoring. And once an authorizing official determines an acceptable level of risk, the goal should be to maintain that level of risk.
- Reciprocity. We need to do away with the multiple authorization templates and documentations, and make reaccrediting systems for different organizations a quicker process. Our resources should be dedicated to protecting and defending our systems and information. We are in a new place in the cyber age and arguing over the aesthetic of a system security plan is a waste of time and money.
- Lifecycle. Security engineering must integrate into the system development lifecycle. Anti-virus software and firewalls just don’t cut it anymore. The software development process has to evolve to emphasize secure coding. Change management also needs to make security a top priority as every adjustment impacts security in some way.
- Education. With cyber threats and attacks on the rise, educating and training is critical. Colleges need to educate all students – from undergrads to Ph.D. candidates — about cyber risks. Continuing education is also essential. Cyber technologies and threats change daily, and those in the cyber field need to stay ahead of the curve to ensure they’re ready for anything. Knowledge is power, especially when it comes to cyber security.
They days when cyber security professionals were holed up in closets monitoring firewalls and patch compliance levels are long gone. Today, cyber warriors are standing on desks, shouting that security is everyone’s responsibility. And the world needs to listen up.
To keep our nation safe, cyber security must be implemented into every facet of every organization across the country. Continuous monitoring must be a top priority. Security operation centers must be incorporated into network operation centers so we know when a system is out of compliance with an authorized risk level.
It’s time to get out from behind the piles of papers, and realize that the true fight is on the network, not in the documentation. Build a secure network, manage its lifecycle, and we’ll have a much better chance of winning the war against cyber crime.