RMF Applied to Modern Vehicles

By P. Devon Schall, CISSP, RDRP

During a recent RMF literature search, I came across an interesting article titled “RMF Applied to Modern Vehicles”. The article was published by Charlie McCarthy and Kevin Harnett in 2014 and sponsored by the National Highway Traffic Safety Administration (NHTSA). The overall goal of the research was to collect knowledge of how RMF applies to the automotive sector. Although the article provides a bulk of general RMF information, some interesting more granular observations were made and sharing these as well as discussing the scalability of RMF will be the focus of this article.

Modern automobiles have gone through dramatic technological advances in the last decade. Gone are the days of buying a Haynes or Chilton repair manual and performing maintenance in your driveway on a sunny spring afternoon. Modern vehicles have incredibly complex information systems and have an average of 80+ embedded control units (ECUs) as well as wired and wireless communications. The lines of code on these vehicles are also developing exponentially, with increasing likelihood of vulnerabilities being introduced in the System Development Life Cycle (SDLC).

The main conclusions of the study indicated that two primary considerations must be made in evaluating RMF implementation in automobiles.

1. System categorization would be difficult as a vehicle is not an information system, but more of a collection of complex interactions with various degrees of criticality. A modern vehicle cannot be used as a single purpose information system and the complexity of a modern vehicle would present numerous issues.

2. Vehicle sectors need to consider developing their own security control catalog that relates to this specific sector. The current security control catalog would not allow the level of granularity necessary in modern automated vehicles.

The findings above may appear to be common sense, but the most overwhelming issue I often see with RMF is that it has a lack of scalability. This lack of scalability becomes an issue when basic systems are subject to the equivalent amount of security controls as others which are more complicated and vice versa. RMF is not agile, and this lack of agility presents major problems regarding RMF scope and the pace at which RMF can be implemented.

BAI does not have a solution to the scalability issue discussed above, but we welcome comments and suggested RMF improvements. After visiting National Institute of Standards (NIST) and communicating with the team that creates these policies, it is critical that feedback is communicated to them. NIST also recognizes this and often provides a public comment timeframe before their publications are finalized. It is easy to ‘rest on our laurels’ regarding RMF, but it is far more effective to communicate with the team at NIST to work towards improving RMF and the state of our nations cyber defense.


McCarthy, C., & Harnett,(2014,October). National Institute of Standards and Technology Cybersecurity Risk Management Framework Applied to Modern Vehicles. (Report No. DOT HS 812 073). Washington, DC: National Highway Traffic Safety Administration