How consulting giants Booz Allen Hamilton automated the U.S. Navy’s Risk Management Framework (RMF)
As with most organisations under the Department of Defence in the United States, as per federal guidelines, the U.S. Navy uses a version of the Risk Management Framework (RMF) developed by the National Institute of Standards and Technology (NIST) in order to evaluate updated IT systems and ensure sufficient protection against cybersecurity threats and vulnerabilities before being put online.
As it stands, however, said evaluation – although imperative to cybersecurity – has usually been a rather arduous and time-consuming endeavour. Given the need to ease the RMF certification process without letting go of any of the rigour, an RMF Automation & Process Streamlining system, as developed by consulting giants Booz Allen Hamilton, has proved to be crucial in automating the RMF evaluations and help the Navy certify operational systems with greater efficiency and speed.
The major challenge with The RMF process – used to manage cybersecurity across thousands of U.S. Navy IT systems is that in order to receive and then maintain their authorizations to operate (ATO), the systems must undergo and pass a full RMF evaluation.
Earning and maintaining ATO is not, however, the simplest task. It is an average 13-month process, taking anywhere between 8 and 18 months for a single system. The requirements for documentation are also rather time-consuming. The uploading and assessing of necessary test data can also take several weeks. Such extended timelines often prevent Navy organisations from rapidly fielding newer capabilities for greater business, operational and mission performance.
Since it is also a process usually conducted manually, it is prone to several human errors which may often lead to entire documentation packages being significantly delayed; with most of these tasks falling to highly paid and experienced cybersecurity staff and contracts, diverted from higher-value tasks.
In order to ease the process and help their Navy clients field faster and more efficient systems, consultancies work towards automating a number of the RMF’s elements whilst maintaining the integrity of their cybersecurity networks. Thus was born the idea of Booz Allen Hamilton’s RMF Automation & Process Streamlining tool, a solution to make the RMF process quicker, cheaper and more accurate than ever.
Under a year since the start of the development process, Booz Allen reports: “Within 6 months, the number of RMF Automation & Process Streamlining automation bots in use grew from two to 14, and still more were in development. Each bot automates and expedites tasks and workflows supporting all six steps in the RMF process.”
“Today, RMF Automation & Process Streamlining has been used to help accredit dozens of systems for tactical communications, command, and control, and mission planning at Navy commands in both classified and unclassified settings. The tool is portable, intuitive, and user-friendly. RMF Automation & Process Streamlining walks practitioners through the RMF process step by step, much like the apps found on popular tax-filing websites.” The automation tool has supported several communities of RMF practitioners, such as information system security engineers or Navy-qualified validators, among others.
Navy programs employing the tool began seeing benefits almost immediately, with manual error-prone tasks such as data entry, report generation, and data analysis, usually taking days/weeks, now accomplished in minutes. The tool has also helped automate the Navy’s CYBERSAFE cybersecurity process to verify security features; in one case even evaluating a new relay node on a tactical communications system and adding 109 CYBERSAFE security controls in only about 2 minutes. This would have otherwise taken at least four hours.
“Among the features that distinguish RMF Automation & Process Streamlining from other RMF process-automation tools are its ease of use and its interoperability with other applications. In addition, its open architecture enables it to incorporate additional automation bots, regardless of who developed them. whether they are developed by Booz Allen or other companies.”
Read the document here.