What is a Cybersecurity Risk Management Framework?
The federal government’s Risk Management Framework (RMF) offers agencies guidelines, standards, and processes to help secure information systems. According to senior cybersecurity leaders speaking at the AFCEA TechNet Augusta conference, however, the RMF does not in itself make government networks more secure.
The RMF provides agencies with a process to evaluate their IT systems against the National Institute of Standards and Technology (NIST) cybersecurity framework. As such, it has raised IT operations teams’ awareness about the need to properly configure systems and stay abreast of security updates, which is a positive step forward.
Coupled with these positives, however, are a range of inherent challenges stemming from the RMF’s limitations. Throughout this AFCEA panel, which I had the pleasure to moderate, decorated senior leaders in cybersecurity discussed the effectiveness and limitations of cybersecurity risk management frameworks–and what agencies should do to address them.
The Limits of Cybersecurity Risk Management Frameworks
According to Capt. Christina Hicks, commanding officer with the United States Navy Cyber Defense Operations Command, the Navy’s RMF is a checklist-based, manually intensive process that requires substantial resources. This means that the RMF is compliance-based, and as Navy CIO Aaron Wies says, “cybersecurity is not a compliance issue.”
“At the end of the day [an RMF] does not make us more secure,” Hicks said during the panel. As the commanding officer responsible for the defense and protection of all Navy networks, Hicks noted that a vast number of cyber incidents occur on networks that have received an Authority to Operate (ATO).
Think of an ATO like a new car – once it leaves the sales lot, its value starts to depreciate. Agencies can’t predict every vulnerability that might be exploited. Therefore, an ATO is only a snapshot in time. To that end, the Navy is looking for ways to apply continuous data monitoring to gain better visibility into their networks.
As principal cyber advisor with the Department of the Air Force, panelist Wanda Jones-Heath has inherited many ATOs that look wonderful on paper – but damage assessments suggest a different story. Jones-Heath said the Air Force is applying industry-best practices, such as penetration testing and ethical hackers, to strengthen its cybersecurity posture and mitigate risks.
Risk Management in the Supply Chain
Supply chain risk management is a growing concern for defense agencies. This is due in part to supply shortages themselves. Another relevant factor is the rising frequency of attacks on supply chain software that have disrupted operations across the government, industrial, and critical infrastructure sectors. Supply chain risk management, however, is a part of the RMF.
“COVID taught us a lot when we couldn’t get parts for legacy systems,” Jones-Heath said, also noting that counterfeit IT systems and routers have an adverse impact on the mission. “We know the adversary is vigilant in trying to add things to the network we didn’t ask for.” The Air Force has a policy in place to address supply chain risks, but is struggling to execute it at scale. This has led to exploration of how to work with the acquisition community to address supply chain risk management early and often.
According to Bhavani Thuraisingham, Founders Chair Professor of Computer Science at the University of Texas at Dallas, agencies and businesses must also be aware of software supply chain risks. This is especially relevant since various types of software come from many different parts of the world.
“What are the risk factors when suppliers assemble software from all over the world? Is the software safer if it is coming from the United Kingdom versus India or China?” asked Thuraisingham. “These are considerations that must now be a part of agencies’ cybersecurity risk management strategy.”
AI/Machine Learning: The Double-Edged Sword
Data is an invaluable resource for today’s government agencies, as leaders strive to make more informed data-driven decisions. The data itself is gathered from increasingly varied sources, as government, industry partners, and allies share more data more frequently. Due to this influx, agencies are turning to artificial intelligence and machine learning (AI/ML) technology to harness the full power of their data. AI/ML is a core capability within cybersecurity solutions, but also is being used for finance, healthcare, manufacturing, and transportation.
Along with its powerful capabilities, AI/ML technology is also saddled with significant risk. “What happens if these AI and machine learning techniques are attacked,” asked Thuraisingham, continuing “that is a very real possibility. Imagine the consequences.”
Can we trust these AI/ML techniques? Adversaries are studying the government and industry’s AI/ML models and the data used to train them, looking to thwart governmental AI initiatives. As a result, research is focused on modifying machine learning algorithms to head off these adversaries. The challenge is finding the right metrics and balance to determine what assets are at high-risk and what are not.
Meanwhile, the Air Force has ramped up the use of AI. “The pieces I worry about from a risk perspective are the ethics,” Jones-Heath added. Humans are designing AI/ML systems, which raises concerns. Are we really building neural networks right? How do we validate that we are not imposing something into those algorithms we do not want?
In response, the Pentagon has accelerated efforts for the adoption and implementation of Responsible Artificial Intelligence (RAI) across the defense enterprise, providing a set of tenets that cover everything from data security governance to AI products and the acquisition lifecycle to the workforce.
Mitigating the Costs of a Risk Management Framework
Victoria Washington, CEO of professional IT services and consulting firm Vision IT, highlighted the need to solve the tradeoff between monetary cost and information security. Finding this balance is a challenge that both agencies and contractors face.
Implementing an RMF might differ according to each agency’s unique requirements, so teams may be required to work with contractors to remain compliant. Meanwhile, firms like Vision IT must secure their own networks and ensure compliance with the DoD’s Cybersecurity Maturity Model Certification (CMMC). There are additional costs associated with CMMC compliance as well. This leads to increased costs on both the RMF and CMMC fronts, which groups are hoping to mitigate with streamlined tools and approaches to compliance. To that end, Washington is looking forward to working with agencies on “how to mitigate costs and provide the types of services they need as well.”
A Multi-Pronged Approach to Cybersecurity Risk Management Frameworks
The “multi-pronged approach” to effective cybersecurity risk management frameworks involves many requirements. These include auditing, penetration testing, continuous monitoring, visibility, identity credentialing and access management (ICAM), zero trust architecture principles, and working with the acquisition community. This requires agencies to bake security into the front end of networks as they are built. Security measures like ICAM and zero trust must be proactively implemented, so that even if an adversary gets in they are denied lateral movement. “That is how we secure our network,” emphasized Hicks. “It is not ‘here is a checklist. See you in three years.’”
The Immuta Data Security Platform enables teams to discover, secure, and monitor the information across their data ecosystem so that the right people can see the right data at the right time. Our platform implements security across cloud compute and storage tools, facilitated by plain-language policies based on dynamic attribute-based access controls. These scalable controls can be built into data stacks from square one, and effectively support cybersecurity frameworks while mitigating risk.