For many government agencies and their contractors who deal with sensitive data, following the Risk Management Framework (RMF) guidelines is required by federal law. But implementing a high-quality RMF goes far beyond simply checking off each protocol one by one. Agencies and contractors engaged with RMF need to have a clear understanding of why this work matters, as well as the professional experience and best practices to efficiently and successfully achieve Authorization to Operation (ATO).
Here at Entrust Solutions, we are currently executing a contract to provide cybersecurity services with an RMF subcomponent. We have also achieved 7 ATOs for one of our clients over the past year. Our extensive RMF experience, expert staff, and advanced internal protocols have enabled us to deliver the results our clients need, as well as offer advice on the best practices for others partaking in RMF work.
Why Does the Risk Management Framework Matter?
Cybercriminals pose a risk to every organization. Cyberattacks cost small and midsize businesses an average of $383,365 per attack. With such a hefty price, many of these organizations never reopen.
For government agencies and their contractors, the potential harm is even greater. When a hacker manages to infiltrate the security system of a government body or third-party contractor, national or international security can be severely jeopardized. In the hands of a cybercriminal, classified information can become a weapon against foreign relationships, national financial systems, and our national defense protocols.
The highly publicized 2018 data breach at the Department of Defense, which was a major catalyst for the new Cybersecurity Maturity Model Certification (CMMC) requirements for DoD contractors, serves as an illustrative example. By gaining access to the network of a defense contractor, hackers obtained the personal data of at least 30,000 civilians and military personnel.
This sensitive data included social security numbers, credit card numbers, and travel information, such as specific airplane seat numbers. Had this breach not been detected when it was, this leaked information could have resulted in a terrorist attack. Government agencies and contractors alike have rightly taken this incident as a lesson for future security preparations.
The Risk Management Framework exists to standardize the security controls and related protocols used by many federal government agencies and their third-party contractors. The steps outlined by RMF are designed to strengthen information assurance procedures that, in turn, reinforce national security measures.
All of Entrust’s current processes are involved with the current RMF/eMASS model that consists of 6 steps. There is a 7-step RMF process, but it has not been rolled out to eMASS. Until eMASS catches up and is adjusted to 7 steps, Entrust will continue to align to the industry standard. Please note that the information in this blog post is accurate at the time of publication and will be updated appropriately as processes evolve and mature in this space.
Our RMF Expertise
As a growth-driven company specializing in cybersecurity, Entrust Solutions strives to be a leader in the field of Risk Management Framework. In addition to currently executing a contract to provide cybersecurity services with an RMF subcomponent, we have achieved 7 ATOs for one of our clients in the last 12 months.
What exactly makes Entrust unique in the field of RMF? We believe that our company has distinguished itself through our sophisticated internal guidelines and practices, our understanding of digital assets in relation to RMF, and our high-caliber personnel.
Our RMF Library
Risk Management Framework procedures are covered in numerous government publications, such as NIST SP 800-53. Entrust Solutions excels at adhering to the detailed protocols of the RMF laid out by the federal government and helping our clients earn ATOs.
To more closely track our RMF progress with various clients while following these federal guidelines, we have developed our own RMF library containing over 30 procedural templates, plans, and spreadsheets. The documents in our library essentially fuse the RMF industry standards with what we have learned from past projects. We then use these internally developed documents to further our current internal initiatives and help our clients successfully gain ATOs.
One of our tools, for instance, is the Requirements Traceability Matrix (RTM). Our RTM helps us track all of the testing requirements for our in-progress accreditation packages. Another one of our valuable documents is our Assured Compliance Assessment Solution (ACAS) evaluation. We use this spreadsheet to determine if an ACAS scan meets all of the scan and plugin date parameters, as well as to detect potential errors that may need further analysis.
Meet Our Senior Information Systems Security Engineering Leader
One of Entrust Solutions’ top RMF experts is Chuck Lewis, our Senior Information Systems Security Engineering Leader. Lewis is a valuable member of our four-person RMF team.
Nineteen months ago, Chuck Lewis first considered joining Entrust Solutions. When he had the opportunity to meet with our President, Chris Mobley, Lewis stressed his eagerness to establish cyber excellence with our company. Although Entrust was and still is a small company, Lewis saw already our potential to grow into a center for superb digital innovations, standards, and solutions in both the government and commercial worlds.
Prior to joining Entrust, Lewis spent over 30 years building an outstanding career in information security. He received his first RMF brief in October 2013. At the time, DIACAP, the former industry standard for government information security protocols, was slowly being phased out. In Lewis’ words, DIACAP was a “check-in-the-box kind of certification.” With DIACAP, once the required documents were completed and an ATO was achieved, no further information security tests were needed until it came time for renewal 3 years later.
Right away, Lewis saw how the Risk Management Framework could offer vast improvements over DIACAP. Although RMF is “still very much a work in progress” even 7 years later, RMF inherently stresses the importance of government agencies and contractors alike not simply going through the motions for accreditation. “RMF, conceptually, brought the idea of constant security, or what we call continuous monitoring,” explains Lewis.
Before entering the contract world, Lewis served as the Information System Security Manager for a Warfare Center in Virginia Beach. His duties included managing RMF accreditation packages for the command. Under his leadership, Lewis successfully guided the command to achieve ATOs for 5 different packages, including a core network; unclass network; secret network; classified Research, Development, Test, and Evaluation (RDT&E) package; and unclassified RDT&E package.
Lewis brings to Entrust’s RMF team not only firsthand understanding of the federal government’s RMF history, but also a thorough knowledge of today’s cutting-edge cyber RMF techniques.
Our Recommendations for RMF Best Practices
When it comes to the Risk Management Framework, Entrust’s experienced team, comprehensive library, and proven track record of ATOs help to distinguish us in the information assurance field.
Below are a few of our best practices that have helped establish Entrust Solutions as a center for RMF excellence. Whether you are experienced with RMF or are just getting started, we hope that our advice will prove as valuable for you as it has for us.
1. Understand the Operational Goals
As the name suggests, most risk management procedures are centered upon detecting both current and potential threats to an organization’s IT infrastructure. Mitigating these risks often takes the form of practical adjustments, such as software patches, proactive cybersecurity techniques, and even staff trainings. All of these and more can be vital components to a business’ or government body’s RMF protocols.
However, these mitigation efforts cannot be framed only in terms of technical or tangible threats, such as network gaps or hardware defects. If your organization or client is to understand the importance of these RMF-related changes, the risks must also be framed in relation to the organization’s operational goals, such as preserving confidentiality or increasing revenue. Only by understanding the company’s or government body’s operational goals can you create a successful system of asset prioritization that stakeholders will find valuable.
2. Embrace the Process as Continuous
The federal government’s Risk Management Framework consists of 6 clearly defined steps. However, successful RMF implementation is never so straightforward as just going from one step to the next. As our Senior Information Systems Security Engineering Leader Chuck Lewis says, successful RMF means continuous monitoring of information procedures and assets.
RMF must be implemented more like a continual loop than a linear checklist for several reasons. For one, threats can occur during any of the 6 RMF stages. Even if you have already categorized an organization’s existing or possible risks, there’s no guarantee that new risks won’t pop up along the way.
Another reason is that the RMF can be applied at several varying levels. RMF protocols should be implemented not only at the overall project level, but at the sub-levels within the given project, such as the artifact level. Only by continually evaluating, implementing, and assessing RMF at multiple levels can you ensure that your organization’s or client’s information security channels are as well-protected as possible.
3. Accept That the Digital Landscape Is Ever-Evolving
If you have worked for more than a few years in the field of government information security, then you know that the Risk Management Framework was not always the industry standard. From DITSCAP to DIACAP to the current RMF, the federal policies guiding information assurance procedures over the last several decades have undergone numerous changes.
Some of these changes to information security standards are the result of our increasingly digitized world. Although many of our new cyber tools and processes have made information security protocols far easier, shifting these protocols to a digitized landscape can be a difficult transition.
Adding to these difficulties is the fact that, although new technologies can help us improve RMF procedures, new tech also presents new challenges to the RMF. In the hands of a hacker, high-tech procedures and tools can lead to destructive cyberattacks. The parameters of cyberattacks, as well as the tools we have to prevent them, change on a regular basis. Keeping up with those changes while adhering to RMF guidelines can be challenging.
What does all of this mean for those who work with RMF protocols? Whether you’re employed with a government agency or as a contractor, it’s critical to understand that your work is ever-changing. Working on RMF projects means being willing to constantly teach yourself and your team about not only new threats posed by bad actors, but also new techniques for detecting, assessing, and combating those threats. Since the cyber world never stops posing new risks and creating new valuable tools, you must learn to stay current with these trends in order to practice exceptional RMF cyber hygiene.
Contact Entrust Solutions to Achieve RMF Results
Having gained 7 ATOs for a single client over the last year, Entrust Solutions has established a recent record of RMF success. And given our expert team and internally developed library, we are well-positioned for future RMF success, too.
Whether you’re a commercial business or government agency, our center of RMF excellence has the track record, knowledge, and innovative spirit to help you gain your desired ATOs. Contact us today to learn more about how we can leverage our vast RMF experience and knowledge to benefit you.
Are you an individual contractor with RMF experience? We are always looking for enthusiastic and hard-working professionals to join our team. Browse our current job openings or get in touch with us directly to discuss what kinds of opportunities we have waiting for you.