Marine cyber chief: Do not fear RMF

The government's Risk Management Framework is no different from the old certification and accreditation process, said Ray Letteer, chief of the Marine Corps' Cybersecurity Division.

"If we define what we are trying to do, I want to see if you've built a system in such a way and that we're going to operate the system in such a manner that is going to protect that information at the specific levels of safety," Letteer said at the Digital Government Institute's 930gov conference on Aug. 24.

He added that the framework is an evolution of the decades-old process of assessing risk and protecting data. And although RMF has expanded requirements, it seeks to automate as much of the process as possible to allow accreditors like Letteer to focus on the larger challenges rather than the day-to-day concerns.

He cited the example of the Defense Department using "comply-to-connect" solutions. When a new system or device is plugged into the network, it is isolated until an automated tool scans the device, loads necessary patches, sets up security protocols and then registers the system on the network.

Letteer said that as a test, a laptop from Best Buy was connected out of the box, and it took 45 seconds for the tool to update, secure and register the computer on the network.

"That's the vision of RMF; that's the vision of doing the automation we want to see...so I don't have to have somebody do brainless work," Letteer said. "I don't want a Marine running around with a CD. I want that approach done automatically."

In the past, accreditors came into the process far too late, he added. That could kill systems that were just about to deploy and waste time, energy and money.

He said information security systems engineers must be involved from the earliest design stages. They need to have input into how things are shaped to incorporate proper security, "so by the time it comes out to Milestone B, you're good to go," he added.

In addition, the Marine Corps has centralized its system accreditation process, so no one downstream can demand a different accreditation package, Letteer said.

He added that Marine Corps systems and devices must operate in multiple environments, including on the battlefield, and that means the RMF must ensure that systems deployed in the field meet the same requirements as those located in a secure room at a base.

Another challenge is helping people understand what constitutes a substantive security change that requires new or updated accreditation. He said in some cases, people submit accreditation packages for cosmetic changes -- such as changing the background color of an application window.

"Their heart was in the right place, but I had to say, 'Look, that's not how were going to do it,'" he said. "Unless it has a change to the security impact of the system...we don't go back in and start from ground zero and relook at everything again."

Letteer emphasized the need to streamline the risk management process and clearly communicate why it is important and how it ultimately supports combat operations and keeps people safe.

"Our responsibility in this environment is to find a way to say yes, but fight stupid," he said, referring to people's tendency to take shortcuts out of convenience.

Nevertheless, he emphasized that the RMF is more evolutionary that revolutionary.

"I still don't think things have fundamentally changed as to the ultimate requirement, and you need to keep that simple approach, that Zen approach to what you're trying to do," he said.