Risk Management Framework 101
Have you ever tried connecting some innovative technology to a military network only to be overwhelmed by the complex and protracted authorization process?
That process is called the Risk Management Framework or RMF. The concept originated in the National Institute for Standards and Technology (NIST) in 2014 as a concept for use by all Federal agencies to protect their computer networks from cyber exploitation. NIST recognized that comprehensive defense against cyber threats needed to be balanced against the legitimate needs of users to access and use their electronic data to serve a mission. So, rather than striving to completely eliminate risk, they developed the RMF concept to "provide senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions." 1
At its core, the RMF asserts that all network users must be able to rely on the confidentiality, integrity, and availability of their networks and data. Senior leaders must determine the relative priority of these three aspects and manage risk accordingly by applying a six-step continuous process loop. The process starts with a description or characterization of the system, then selection and application of security controls, followed by an assessment of the effectiveness of those controls, authorization of the system, and perhaps most importantly, continuous monitoring.
For those without a background in cybersecurity the sheer volume of guidance documents and regulations associated with RMF can be daunting. Equally important, the original RMF concept was built to address only traditional Information Technology (IT) systems, so it did not consider the uniqueness of industrial control systems or facility-related control systems. NIST and the DoD only recently adapted the RMF to consider these systems that are so important to energy and water infrastructure management and optimization.
ESTCP has recognized the problem and the potential it has to derail some very promising technologies. Therefore, we have made it a priority to develop tools that will help developers quickly become more proficient at navigating the RMF process and obtaining authorization to operate innovative technologies on DoD networks.
The first of those tools is called "RMF 101". The intent of RMF 101 is to simplify the RMF landscape, introducing the newcomer to the process, the language, and the most important documents that describe it. Once you have a broad understanding of the RMF process, the language, and the documents, you can use RMF 101 as a guide to direct deeper research and learning of specific cybersecurity requirements.
The purpose of this blog post is to introduce RMF 101 and invite you to try it out by going to the ESTCP website at https://www.serdp-estcp.org/Tools-and-Training/Energy-and-Water. We plan to publish a series of follow on blog posts that will describe each of the six steps in more detail. So, stay tuned.
1 NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach. http://dx.doi.org/10.6028/NIST.SP.800-37r1