Is RMF Broken? Can it be fixed or is it beyond repair?

By Lon J. Berman CISSP, RDRP

Thanks to the work of the Joint Task Force, RMF is now the official information security life cycle process across all three “segments” of the Executive Branch, i.e., DoD, federal civil agencies, and the intelligence community. It’s now been 4 ½ years since DoD officially “adopted” RMF (DoDI 8510.01, published in March of 2014) … and much longer for many of the other federal departments/agencies.

There is a growing sentiment that somehow RMF is “broken.” What exactly are the issues that have led people to come to this conclusion? The consensus seems to be that RMF is just “too time consuming and labor intensive.” Some even go so far as to claim that, even if conscientiously applied, RMF does little to actually make information systems more secure.

Let’s analyze these claims. There is no doubt RMF is a time-consuming process. Even for systems categorized in the Low and Moderate range, a considerable amount of time must be spent to address the vast number of security controls (and even “vaster” number of individual assessment objectives or CCIs) in the baseline. In addition to providing implementation statements for each control/CCI in the System Security Plan, the system owner will more than likely be faced with the prospect of either revising existing system documentation (such as Standard Operating Procedures) to cover the gamut of controls, or having to develop whole new documentation artifacts for various subject areas. On top of all that, the system owner will need to provide documented “evidence of compliance” (such as screen shots, copies of e-mails, etc.) for many of the controls. Overall, a daunting task for many system owners, especially in light of the fact that existing cybersecurity staff may be the only available resources with the knowledge to be able to do the work.

As if that’s not enough, many organizations (agencies, commands, DoD components) compound the problem by creating review processes that further “bottleneck” the process. Even after the independent assessment is done and a POA&M has been developed, the organization’s multi-layered “package approval chain” is likely to add weeks, if not months, to the overall timeframe to ATO.

Too many system owners and their staff, RMF seems like nothing but a “mountain of paperwork.” How can that possibly make systems more secure? After all, wouldn’t it be more effective to redirect the RMF effort to something more “productive,” like detecting and mitigating technical vulnerabilities that can expose systems to external attack? We certainly need to be vigilant about technical security, but history has shown that non-technical security measures (e.g., policies, procedures, training, etc.) are equally important. For example, denial of service caused by external attack and denial of service caused by a poorly trained system administrator’s error are indistinguishable to the end user. Unauthorized system access due to hacker activity and unauthorized system access due to failure of the administrative process for account approval can both result in compromise of sensitive information. To be truly secure, our information security practices must be “holistic” in nature – including management and operational considerations as well as the technical. Holistic security is what RMF is all about – it’s not just a meaningless paperwork exercise.

All that said, it is absolutely a daunting challenge to conscientiously apply RMF to our information systems.

System owners can do several key things to help meet that challenge. First of all, we need to make sure everyone involved in the process receives appropriate training. A soldier would not be expected to operate a communication device or a weapons system without thorough training on its proper operation. The same thing should be true for our information security “soldiers” working “in the RMF trenches.” Secondly, we should be prepared to begin RMF activities early in the system life cycle, thereby minimizing the “time crunch” to get things done.

Once ATO is achieved, we should implement a continuous monitoring program that will ensure our security posture remains at a high level and minimizes the level of effort for the RMF re-authorization effort that awaits us down the road.

Agencies and organizations should also be doing their part to help system owners meet the challenge. A good start is developing and documenting policies and procedures that can be inherited by individual system owners. Organizations should also be working to streamline the review and approval process for RMF packages submitted by system owners. Lastly, organizations at the highest level… are you listening, Department of Defense? … should develop and publish policies, procedures and support tools for Continuous Monitoring that can be leveraged by all.

If you are interested in learning more about our RMF for DoD IT training course, please click here.