RISK MANAGEMENT FRAMEWORK WITH DREW CHURCH

Kip Boyle:
Hi, everyone. Welcome to Your Cyber Path. My name is Kip Boyle, and I’m here with co-host Jason Dion. Hi, Jason.

Jason Dion:
Hey, Kip. Nice to see you again.

Kip Boyle:
Yeah, it’s good to see you, too, and I just found out today that there’s a chance to actually meet up in person again, believe it or not. This thing about you relocating to Orlando is working really well for me, just so you know. I don’t know how you like it, but I like it because it turns out I’m going to Orlando again to make a presentation at the ISSA Cybersecurity Executive Forum. That’s going to happen in September and going to go talk to a bunch of CFOs from global companies, but while I’m there, hopefully, we can find some time to meet up and have a meal. You have a new office, maybe I could see that.

Jason Dion:
Yeah, definitely. Yeah, we’re in the middle of still moving from Puerto Rico up to Orlando. We’ll be finishing that move in 2023, but right now we have the offices at least finished. They finished that as of this morning, so they’re ready to be moved into, and I will be in town when you’re in town, so we’ll definitely have to catch up. That is one of the nice things about Orlando is it’s Orlando and Vegas is where all the conventions seem to be, so you get a lot of conventions and conferences. I get a lot of friends who are flying in, flying out and I get to hang out with them when they come into town.

Kip Boyle:
Oh, how super convenient for you. I love that it is a direct flight from Seattle to Orlando because I don’t like changing planes. I’m done with that.

Jason Dion:
Yeah, a lot less likely to have your luggage get lost when you don’t have to change planes, which is nice.

Kip Boyle:
Yes, and it doubles my transit time coast to coast. It just completely blows out my day and makes it so much longer than it needs to be. Anyway, it’s good to be back recording our episode here. Hey, what we’re going to do today, everybody, is we’re going to take a closer look at something called the NIST Risk Management Framework. Now, this is a really important document if you’re working in the Department of Defense, various parts of the U.S. federal government on the civilian side. We’re trying to bring more information about this to you, our audience.

We thought the best way to do that was to get an expert, so on the podcast with us today is an RMF expert. His name is Drew Church. He’s the Global Security Strategist with Splunk. If you’ve heard of Splunk, I’ll let Drew tell us what Splunk is, but Splunk is a really important tool for people working in cybersecurity. Hey, Drew, thanks for being here.

Drew Church:
Hey, thanks, Kip. Thanks for having me. Thanks, Jason. Jason and I go back quite a ways, and I also learned just a few moments ago that you’re from or at least located in Seattle. When I’m not TDY for several months to Virginia, I actually live about an hour outside of Seattle, so hopefully we’ll have a chance to meet up face to face. Yeah, so Splunk, we’re a big data platform. We do analytics, a lot of security use cases that we have on Splunk. That’s kind of where I got my start with the technology is actually doing part of continuous monitoring for RMF using Splunk, so we can definitely talk a little bit about that. I’m not here on their dime today or anything like that. Not a sponsored show or anything like that. It’s just me talking, but happy to be here.

Jason Dion:
Yeah, as we have with a lot of other guests, the opinions expressed by Drew are Drew’s opinions alone and they do not reflect upon Splunk, who is his employer. I just wanted to make sure we all pointed that out. He works for Splunk-

Drew Church:
And-

Jason Dion:
… but he’s not here representing Splunk.

Drew Church:
Yeah, and the opinions might not even be mine. That was a joke.

Jason Dion:
Yeah, as Drew said, him and I go way back. We actually worked together several years ago in a cybersecurity organization and we spent quite a bit of time working together and we’ve kept in touch over the years. When we started diving into RMF, I started thinking about, who in my network has a lot of experience in RMF? Drew was one of like the top three names that came to my head, so I immediately reached out to him and invite him onto the show so we could talk about RMF.

The thing I wanted to mention with RMF is, as Kip said, this tends to be used very heavily in government, especially in the DOD for either military contractors or civilians. That said, if you’re not working for one of those organizations, I still would listen today because RMF is one of those things that if you end up working for one of these government contractors one day, or you even work for a software as a service company that has a contract with the DOD, you sometimes have to deal with that, For instance, Splunk is not a DOD person, but they do sell a lot of things to the DOD, and so they have to go through this RMF process as well with some of their tools to get them approved for use on the different networks in the DOD. We’ll be talking about that as well as we go through today.

Kip Boyle:
Excellent, excellent. Okay, so what we want to do is really we want to get into RMF. RMF is a framework that has seven steps, but I think maybe before we get into those seven steps, it might be nice to talk a little bit about what RMF is, what it’s not at a high level. Jason or Drew, would one of you guys like to just kind of give us the thumbnail sketch of the purpose of RMF?

Jason Dion:
Sure, I’ll let Drew jump in here if he wants.

Drew Church:
Yeah. RMF, the Risk Management Framework is that seven-step process and the really idea is to right-size and come up with the right amount of security for the right system at the right time and at the right cost. If you think about the whole program as that and work from that, it gets a lot easier. I did mention costs, and so hopefully those of you in the commercial sector that are thinking about that, you hear bureaucracy and you hear costs, and those things are usually pretty high. I think there’s a way to do RMF at the right cost, but the big picture there is selecting the right kind of security for the system or systems or company or organization and do that correctly and in a pretty systematized systematic way.

Kip Boyle:
Hmm. Okay.

Jason Dion:
Yeah, I think that’s a great point because when you’re dealing with RMF, the idea is not to 100% secure every single system out there. It’s a matter of managing risk, which is why it’s called the RMF, the Risk Management Framework, and so if I have something that is going to be used by one person and connected to one dial-up computer terminal that’s not even connected to the internet normally. There’s probably less of a risk posture there, and I wouldn’t want to spend billions of dollars protecting that. On the other hand, if I have a mobile device that can process top secret information, I probably want to spend a lot of money protecting that because it’s mobile and it has top secret information, so we want to make sure that is well-protected. This allows you to kind of, as Drew said, right-size based on what the thing is you’re trying to protect.

The whole idea with RMF, at least in my experience, is to get to a point where an authorizing official can decide, “Yes or no, we’re willing to accept the residual risk of this thing when we connect it to a network,” because you’re never going to get a hundred percent of the things taken care of when you’re putting all your controls together. There’s just no way to protect everything a hundred percent of the time, and so you just want to get it down to a reasonable level where the risk is willing to be accepted based on the benefits you’re going to get.

Kip Boyle:
Yeah. Oh, thank you. I think that’s an excellent summary. There’s another thing that I’d like to point out before we really start unpacking the seven steps and getting Drew’s take on kind of the reality of using the seven steps because there’s what’s documented, there’s what the government’s looking for and then there’s like, how do you really do it in the real world? The other thing I want to say that I think is really important and helpful to understand RMF is that it’s based on a life cycle development process. That seems to be the major lens through which RMF describes what needs to be done. I like to compare and contrast that to the NIST Cybersecurity Framework because some people seem to have this idea that they’re just sort of like synonymous with each other. In my experience, I don’t think that it’s very synonymous. I actually think it’s complementary because the Cybersecurity Framework is actually organized around the five steps of a computer incident and how you handle it. I think that’s a really important distinction, but Drew, what’s your opinion of that?

Drew Church:
Yeah, I think that they are complimentary. I think that everything inside of the Cybersecurity Framework is inside of RMF, and then RMF has a ton more stuff, but it is organized differently and I think that makes it significantly more approachable for smaller organizations or less mature organizations. They could be a Fortune 5 company and very immature, or they could be a mom and pop that stood up yesterday. At the end of the day, both of those control sets, and we’ll talk about that I’m sure, they are at the end trying to help you figure out what to do and how to do it and actually help you make smarter purchasing decisions, which is another interesting topic as well. Overall, I think no matter how you approach it, either from the RMF side or from the Cybersecurity Framework side, you’re getting the same goodness really coming out of NIST and the experts there.

Jason Dion:
Yeah, I completely agree. I’ve seen a lot of people who they say CSF and RMF in the same sentence and they think they’re the same thing. In fact, when Kip and I started making our NIST Cybersecurity Framework course, we were working with Udemy Business to get it added to their catalog, they were actually asking for a NIST Cybersecurity Framework and RMF course and we’re like, “Whoa, whoa, whoa, whoa, that’s not the same thing. Let’s do one, and then if you want the other one, we’ll make the other one, too.” We are, we’re currently making an RMF course to go through how you actually do this in the real world, but we had to break that apart for them because most people when they talk to hiring managers, when they talk to HR, when they talk to all the people in the instruction and recruitment areas of these large Fortune 500 businesses they deal with, they kept hearing, “We want CSF and RMF,” and they thought that was one thing.

We’re like, “No, no, those are two different things. They just work really well together.” That’s why we’re going to talk about that in this episode, and I guess that brings us to the first thing we should do, which is lay out, what are the seven steps of RMF? I’ll go ahead and kind of read those off at a very high level, and then we’re going to talk with Drew as we go through some of these steps and kind of figure out, what does this look like in the real world? Where are the pain points? Where are the bodies buried, I guess, as you start dealing with the stuff in the real world?

When we look at the seven steps, as we said, it is a life cycle. It starts out with prepare, and during the prepare phase, you’re going to be doing all the essential activities to prepare your organization to be able to manage your security and your privacy risks. When you look at RMF, really there’s two big risk areas they focus on. One is the security risk or the cybersecurity of your organization, and the second is the privacy risk because of all the data breaches that occur. These are two main areas you’re going to be focused on.

The second step is to categorize. During the categorized phase, we’re going to be categorizing our systems and all the information that it processes, stores, and transmits based on an impact analysis. This goes back to what Drew said when we start talking about right-sizing. Yes, you can categorize a system as extremely important and needs to be protected at all costs, but if it’s going to cost a billion dollars to protect this thing and it’s only protecting a piece of data that’s a dollar, that doesn’t make a lot of sense, either. You want to make sure you’re categorizing things in the right mind based on the information that’s processing and the level of that information.

The third step is select. When you’re selecting, you’re going to be going through the control sets which are located in the NIST Special Publication 800-53, the same one that we referenced back in our NIST Cybersecurity Framework courses, one of the places you can get controls from. This is why these work together, and you’re going to select the controls based on the risk assessment of the systems and the data you’re trying to connect.

Then, we get to step four. This is where we’re going to implement, so we want to implement all those controls we selected. For instance, we said we’re going to implement two-factor authentication. We’re going to use data at-rest encryption. Now, we have to go put all those things into the system, and that’s where the implement step is. Then, we get down to our next step, which is to step five, which is to assess. Now that we’ve implemented our controls, we need to assess to determine if those controls are in place, if they’re working right, and if they’re giving us the results that we expected.

For example, if we said, “We’re going to protect the system using multifactor authentication,” and we decide to use an SMS text code for that and then we find out that those can be easily hacked or bypassed, well, that’s not giving us the protection we want. Maybe we want to move to an RSA key fob token solution instead for our multifactor authentication. That’s the idea of asses. Is this working the way we intended?

Then, we get to number six, which is our authorized step, and authorized, this is where your senior officials start making risk-based decisions to authorize the systems to operate. In every organization, whether you’re a government organization or a civilian organization, somebody should be making decision of when you can hook something up to the network. That senior official, whoever that is, is going to be responsible for all the risk that is now being accepted by that organization because somebody has to make that determination. 

Then, the final thing we do is step seven, when is monitor. At this point, we’re going to continuously monitor our systems and monitor all of our controls to make sure they’re working the way they should, to make sure the risk is at the level we thought it was, and if those risks start creeping up and getting higher, then we want to go back and iterate again and start categorizing, selecting, implementing, assessing, authorizing, and monitoring again to make our systems more secure and reduce that risk again. Again, this all goes back to how you’ve categorized things back in step two, so you know what level you need to meet. Guys, do you think I did a decent job of covering the 50,000-foot view?

Drew Church:
Yeah, definitely.

Kip Boyle:
 Yeah, absolutely Jason.

Jason Dion:
All right, cool, so let’s talk a little bit about prepare. What happens during the prepare stage? What does this look like in the real world?

Drew Church:
Yeah, and so when we start thinking about preparing, you’re going in and digging deep as to actually looking about what you’re trying to do. I think there’s like a… I like to think that there’s a step before prepare, but it’s really all part of the prepare. You have to look at this as a system of systems. You have to look at your organization. You have to look at the left and right lateral limits that you’re operating under. You have to understand who those people are. You need to identify folks, like you mentioned that senior risk official or the risk key executive, whomever this happens to be. Those people have to be identified. You have to understand what the part of the organization is, if there are legal constraints, you have to understand about in those more military or government sectors of the appropriate rank and whatnot to be able to make those decisions. 

You have to do a lot of kind of pre-work before you even get into the RMF stuff, which is a big picture to me, and the thing I think about is like understanding hierarchies of systems. Take big picture, you’ve got a multinational corporation and there’s going to be, we’ll say, six different sites.  When you’re thinking about the prepare step, are you looking and are going to be embracing this as the overall entire organization? Or are you looking at doing that for one of those six locations and in a specific location?

When you take that and then also think about this concept of common controls, and these are things that I think, and this is where real world I wish people did a little bit more of in thinking about this big picture, is saying, “Hey,” if you go looking at that category of controls, there are things like traditional security controls. Do I have the right locks on my doors? Do I have the right fire suppression systems and other environmental controls? Do I have redundant power? The things that start getting into kind of the availability in the CIA triad, which I’m sure you talk a lot about. Think about that. One site may be different than another, but when you think about maybe the background investigations that all people that come into the organization have to go through, they’re all the same.

Jason Dion:
Yep.

Drew Church:
That might be a great opportunity to identify those common controls around personnel security that all to all systems so that you answer them once and once only, because what I see in the real world that don’t understand what their common controls are. This is what gets into the concept of an heritage and saying, “Hey, I’m inheriting that from another system that I’ve authorized because, yep, you know what? Everybody that works on my system was already vetted through our organizational policies. I don’t need anymore.” Boom, I’m not going to have to answer that, and that flows into other steps.

When you get this done right at the outset, it significantly saves time, it saves money, and quite frankly, saves sanity throughout all of it. Really, regardless if you’re working on the big, big system or you’re working on that super hyperimportant system in a corner that does really important, but small-scale, it’s all setting it up to size the right amount of security to apply and manage that risk effectively.

Kip Boyle:
Hmm.

Jason Dion:
Yeah, and I think one of the really interesting things in what you just said, Drew, is we tend to be as cybersecurity folks always thinking about the technical solution, but you went right out to prepare and you thought about, “Hey, what about those physical solutions? What about those door locks? What about the personal background checks and all those things?” You’re right, a lot of that, especially in large organizations, a lot of listeners know I used to be in the Navy, and in the Navy we have networks all over the world, across six different continents. A lot of those same things and those same people are moving between different areas. If you’re working in the United States versus working in Italy or the Middle East or in Japan, and I’ve worked in all of those places, we had different requirements at the physical security level.

There was a baseline and the lowest level was here in the United States, but when I was overseas, they had a higher threshold, so we accepted all those controls from the people coming from the United States and then added to those what was unique to our particular site. I think when you’re looking at prepare and seeing how can you reuse the work of others, that’s really where this comes into as making sure you’re ready to start the whole process. 

Kip Boyle:
You know, as a person working in private sector only, Drew, when you were talking about this, the thing that popped into my mind was when I use a cloud provider, they operate on a shared responsibility model, and when I use like an AWS service, for example, like S3 where I store objects in the cloud, I actually inherit all the controls that Amazon already has in place like data center security and so forth, right? At least-

Drew Church:
Yes.

Kip Boyle:
.. conceptually, that seems very similar. Tell me, am I getting it?

Drew Church:
100%, and nobody thinks about it. You’re like, “Oh, a cloud world, I’m so far advanced, I move past things like Risk Management Framework.” Ha ha, you really haven’t. It’s just the same thing under a different guise, so that shared responsibility model, exactly. 100%, Kip.

Kip Boyle:
Got it. Okay. That’s cool. All right, well, anything else, Drew, in the prepare step that is particularly maybe difficult to understand or tricky to get right? Or just anything else that you could share with our audience if they find themselves working on this step?

Drew Church:
This is where the project management skills, understanding organization, you’re going to probably have some tooling. They may be, if you’re in the DOD, you’re going to know the system, you’re going to be doing this, then, depending on the classification of the environment like, “Hey, what tool or technology are you going to use for this?” There’s a lot of, by the way, Microsoft Excel and Microsoft Word going through that whole process, but there’s also-

Kip Boyle:
Oh yeah.

Drew Church:
… like other tools, and so you’re probably going to be using those, so understanding those, understanding who has access to do what, figuring out the roles of the people involved. We mentioned that authorizing official, there’s other roles like the information system owner, other things like assessors that go into other parts of the process.

Part of that prepare step is identifying those people, and so making sure that you know who’s on the hook for what and kind of when because if you choose the wrong people and you’re like on a timeline, it’s not going to go so well. Understand all of that, get that kind of… and start building those relationship as soon a possible within whatever the chains that you can can to make sure that the whole process is successful. It’s all about getting prepared, it’s in the name, to get this whole process done, as easily and as smoothly as possible.

Jason Dion:
Yeah, and I think the other thing to bring up when we talk about RMF is it’s a lengthy process sometimes. I’ve done several RMF packages. The fastest I think I’ve gotten one through was about five months and people thought I was lightning fast because five months is really unheard of in the RMF world. Generally, it can take you one to two years to get these things from the time you start preparation to the time you have finally gotten everything approved and authorized in step six and ready to actually put that thing on the network. The preparing, the more you can do in preparation, the better you’re going to be as you move through the rest of the steps because you can grease the skids a lot of times.

As you said, if you have a choice of person A or person B and you know that person B always lets things sit in their inbox for a month before they look at it and person A is kind of top of their game, you may want to swing by person A’s desk and buy them a cup of coffee and see if they’re willing to be the guy who’s going to, you know, the person going through your RMF package instead of getting stuck with person B. I’ve seen a lot that where it’s not necessarily buying off the person who’s going to be looking at your stuff, but it’s just getting yourself a higher priority, especially when they’re competing for that one person may have a thousand packages they’re looking at and they only have time to look at one a day or two a day. Trying to get yourself as a higher priority sometimes can work wonders.

Drew Church:
I know we’re all-

Kip Boyle:
[inaudible].

Drew Church:
… IT and cyber professionals, but soft skills, folks, soft skills matter.

Jason Dion:
Yes-

Kip Boyle:
Oh.

Jason Dion:
… we’ve talked about that time and time again on this podcast. Being likable will get you to the top of the queue. It’s amazing.

Kip Boyle:
Yeah, yeah. Thank you, Drew, for saying that because Jason and I emphasize the importance of people skills all the time, soft skills, and so we didn’t pay Drew to say that. He said it on his own because he knows it’s true, but I appreciate you weighing in on that. How about the second step, the categorize step? Drew, what would you tell somebody, again, who’s doing RMF for the first time? What are your insights about how to get this step done as quickly and as cleanly as possible?

Drew Church:
Yeah, I think the categorize step and select steps, the next two, are really where the rubber starts meeting the road for the risk management professional to get it and start digging deep. This is a great time to actually open the 800-53 and whatever revision you happen to be working on, currently published is Rev.5, though I know a lot of people do work on the Rev.4 controls sets. Actually, understand and start reading the pubs. I’m not going to say read all of the controls yet, but you want to go read and understand, like go read the summary, go read how to do this, especially if you’ve never done it before. You’re going to start getting familiar with the vernacular, the taxonomy of the words and some of the things that are a little bit more common, like the thing that I want to talk about first, which is information types.

The concept of an information type is to start building and understanding what type of system you have, and that’s all about data. Data really is everything, and the reason why we have information systems is to process information. We go back to our DIKW pyramid and all that fun stuff. You have to have that on it, and so when you understand what that is, that’s how you start building out these information types. The concept here is relatively simple. Hey, I am using a system that’s processing medical records, for example. I’m also going to have probably some administration information about how to run the system on here, but maybe I don’t have the nuclear secrets on this system.

When you start identifying that, you’re going to have the information types, and this catalog is going to depend. If you’re working in the government sector, and particularly in the DOD, you’re going to have these information types given to you in advance, like, “Here is the registry of information and here’s some stuff.” If you’re working in those cycles, be aware of what that catalog is to pick from. You don’t have to make this up by yourself. The challenge I’ve seen in that area is people don’t know what it means, so if you say, “Patient health information,” and in many cases these are much more granular information types, what’s in a name? What does somebody think a patient record is? You can go back to the ’90s and look at Presidential testimony and, what is the definition of is and whatever, right? Like-

Kip Boyle:
Right.

Drew Church:
… people get to that level of detail here because when you get to why these matter, which is the concept of the high-water mark, which feeds into the next set of control, your information dictate what your confidentiality, integrity, and availability impact levels are going to be, which then further on down the process does some more stuff we’ll get into in a second.

When you know your information types and know the information, we go back to our CIS, control number one, know thyself. Know your information, so you identify these, and then there’s a matrix. This is where you get into the spreadsheet game where, “Hey, okay, I’ve picked my information types, I’ve pulled my catalog, and now I can say, ‘Hey, my system, because of all of this, is a confidentiality. I look at the highest one, oh, there’s a medium here, this other one’s in integrity is low and availability is high maybe because I’m processing life-saving information.”

That’s where you get into the rubber meeting the road bit, and this is where you start getting into the informal negotiation because I just said high. The word “high” means a lot to a lot of people in RMF because when you start getting into high anything, that means not only are you going to be mandated to start doing a lot of specific controls, you’re also going to have these things called control enhancements. This is where you’re like, “I’m doing a lot and, hey, the first 80% is pretty easy,” but then we start getting towards that top like, what does it mean to get to a hundred percent secure or whatever, it gets really hard to do.

It’s hard from a knowledge perspective from the professionals to knowing how to configure those controls. It’s hard on the cost. “Hey, I have to go buy something or I have to spend more money on people to do these things.” Nobody really ever wants anything ever to be high, and you can go look at the matrix. I don’t have the reference off the top of my head, but when you go from medium to high, it’s just like an astronomical amount of controls that get added. These high-water marks, I think, are what cause a lot of contention, and if I was to go and had a magic wand and change RMF a bit, I would really maybe make this more like the pirates code, and it’s more like guidelines, right?

Kip Boyle:
Mm-hmm.

Drew Church:
Where, “Hey, this is what the high-water marks should be, but understand what this means, and then you’re going to move into the select phase.” We can talk about that, but you probably have some questions for me.

Kip Boyle:
Yeah, definitely. Jason, if it’s okay, I want to actually rewind a little bit because, Drew, you mentioned a pyramid that I’ve never heard of before. Can you-

Jason Dion:
The DIKW, yes, so-

Kip Boyle:
Yeah, DIKW pyramid. I don’t know what that is.

Jason Dion:
 Yeah?

Kip Boyle:
Yeah, help a brother.

Drew Church:
Yeah, go for it. Jason. I think you have a certain designator for knowledge management, so go for it.

Jason Dion:
Yes. Yeah, I was a former knowledge management officer in an earlier life and DIKW is really important to that, so when we talk about DIKW, these are the four types of information that you can have or knowledge. You start at the lowest level, which is data. The number 32, that is a data point. That’s a piece of data, but it doesn’t really tell you much. If I go to information, you have a little it more fidelity of that. For instance, I might say 32 Fahrenheit.

Now, you know a little bit more information, and so it’s a little bit more than just data because you know what that thing is about. Then, you start moving up and you go Di and then you go to K, which is knowledge. Now, when I say 32 Fahrenheit, well, that is the freezing point of water in the United States, and any place that is using the imperial system, I guess, which I think is pretty much just the United States, if I remember correctly.

In the United States, 32 F would tell me, “Hey, that’s the freezing point,” so if I’m an insurance company, I might know that when the temperature gets down to 32 F, we’re going to have a lot more car accidents. We’re going to be paying more money. That becomes knowledge because I’m taking the data point, the information, and now I’m extrapolating that with other pieces of information to combine that into some kind of knowledge.

Then, wisdom tells me that, “Hey, if I can work from home, I should just stay home today because it’s 32 degrees out and I don’t want to deal with snow and ice on the roads.” You go from this data to information to knowledge to wisdom, and it’s always harder to get up to wisdom, but that’s where you start learning from your mistakes over time and things like that. We talk a lot about data science and we get all this data collected, but really data by itself is not that useful. It’s what we do with the data and how we combine it to get information or knowledge from it. That’s where knowledge management organizations was really big in the ’90s and 2000s. Now, we go into data science and data analysis instead, but it’s a lot of the same.

Kip Boyle:
Oh, that’s interesting, so-

Drew Church:
Yeah, I think I showed my age there.

Kip Boyle:
Yep.

Drew Church:
Well-

Jason Dion:
You’re not that old, Drew. I mean, you’re younger than I am.

Drew Church:
Yeah.

Kip Boyle:
DIKW, thank you for explaining what that is. Now, Drew, how does that help you with RMF?

Drew Church:
Right. It’s understanding, it’s the context that your information system lives in, right?

Kip Boyle:
Hmm.

Drew Church:
Knowing that you have patient health information is great, but how is that information used? Where does it start transiting your network? Where is that data stored? What legal complications and regulatory bodies do you have to work with when you have that information? As you start thinking about 32 may have been a number, but now you start putting that F on it, okay, now you know it’s a temperature.

Then, as you grow up the period, now you’re tied to a person and you know that that was Drew Church’s temperature on this date at this time. Now, you have a patient health record. When you start thinking about how the data comes together and how you need to protect it and where that goes in your information system, I think it allows you to really start digging into what that information means a little bit better.

Kip Boyle:
Yeah. Okay. Thank you very much for unpacking that acronym and then connecting it to RMF, Okay, thank you. Now, I feel like I can focus on the topic.

Jason Dion:
The other thing I wanted to point out is when Drew was talking about the categorized and select state, one of the neat things that he mentioned was how it was not guidance, and he would love it to be guidance. Whereas, when we talk about NIST Cybersecurity Framework, Kip, I know you make a big point of this in our course, that this is not a requirement. You do not have to do every single thing inside the NIST Cybersecurity Framework to be using the NIST Cybersecurity Framework. It’s kind of the guidelines, it’s the guidance, and you can change it based on your organizational needs to more or less based on what you need. RMF is not that way. RMF is much more structured. You have to do all seven steps. You have to put a certain amount of effort into each of those steps based on whether it’s high, medium, or low, as Drew said.

Knowing that and knowing that if you go to a high, you just bought yourself into a whole bunch of more work and a whole bunch of more stuff is important to realize. Not saying you should never categorize high, but you just need to be aware of what you’re buying yourself into when you say this is a high system instead of a medium or a low system. The other thing I think that’s really important when you start dealing with RMF is to realize that usually the person who is doing this, it’s not that you’re going to be doing all seven steps by yourself, either. RMF tends to work in very large organizations. Like we said, it’s very heavily used in the government and DOD, and so I may be the person who’s categorizing and selecting the controls, but I’m not the actual system of industry who has to actually go and implement all of this stuff. 

If I say, “Yes, we want full disk encryption, that’s a requirement,” now I don’t get to tell the system administrators that they’re going to do that using a third-party product or BitLocker or FileVault 2 or whatever it is. They get to determine what meets that requirement. I just got to say what the requirement is, and that’s what we’re really doing in the categorize and especially in the select phase is we’re saying, “Here are all the requirements that we’re going to put in place to make sure this system is secure and has a lower level of risk.” Then, we get into our fourth step, which is what we’re going to talk about now, which is implement, and this is what-

Kip Boyle:
Wait, wait, wait, wait.

Jason Dion:
… [inaudible] do all of that. I’m sorry, go ahead [inaudible]-

Kip Boyle:
Before we go to implement, I wanted to-

Jason Dion:
… [inaudible] doesn’t want to wait on you.

Kip Boyle:
… comment about one thing. The NIST Special Publication 800-53, I have seen so much confusion about that publication and I’ve heard people say like, “Are you SV 800-53-compliant?” Or people will say, “Well, have you implemented 800-53?” I think what people don’t understand, and Drew and Jason you can tell me if I got this totally wrong, but it’s a catalog of controls. You-

Jason Dion:
Yes.

Kip Boyle:
… don’t implement everything, not even close. You are picking and choosing out of that catalog based on need. Then, I remember you said something about enhancements. Almost every control has additional things that you can add in order to strengthen the control or make it more suitable for a higher level of protection. Did I get that right on the publication?

Drew Church:
Yeah, and I glossed over a huge part of that selection of controls as to how that selection happens. Big picture, you have the high-water mark, and when you go look at the matrix and how all those controls and the control families, it will literally say, “This applies to confidentiality high,” or whatever and only that. Or maybe it’s a low, low, low, meaning every system will have this in the control set that is built from that categorization process, right?

Kip Boyle:
Hmm.

Drew Church:
That’s like the starting place, and then selection’s all about tailoring. You’ll hear the phrase “tailoring these controls” a lot, and so that’s adding and removing controls and control enhancements in just a second that say, “Okay, how do I kind of tune this a little bit?” We got the big picture, which is objective, which is the control, and then how I go about doing that in more not the architecture way, but like the policy and the how and the big picture, how am I going to measure this later? That’s what’s in the details of these controls, and so the control enhancements turn that full-disk encryption requirement up to 11. It’s full-disk encryption and it has to be done within three minutes of the system coming online or whatever the crazy thing happens to be.

The big point of selection has to be a conversation. I mentioned in prepare that we need to be talking to people, and this is where the negotiation happens. This is where I would recommend that if you’re like a strong policy person or a strong RMF person, but not like you’ve never really worked as an administrator on a system before, your information system security engineer or architect, the different implementations of RMF have different role names. This concept of the ISSE, these are your smart people that bridge the divide. This is where you really want to be bringing them in and talking about the controls that were picked from this baseline of controls based on your categorization and starting to pick, what do you really think you should do? What should you take out?

that control won’t do what it says it will on our system because of A, B, and C, or maybe everyone’s favorite screen lock. I’m in Virginia right now, and you might hear a plane fly over my heard in the recording of this podcast, and if somebody mandates a screen lock on one of those jet fighters flying over my apartment, that’s probably a bad control for that system. I bet that if I was to go through the RMF process, that would be a control that would be selected. This is where, I think, the real life people that don’t think about this critically and don’t have partnerships in their organizations get it wrong. “We have selected this control and it will be implemented.” You’re just like, “This is never going to get implemented because literally the computer in the plane, it doesn’t work that way.” I think that’s a big thing to think about with the selection.

Kip Boyle:
Okay, okay, and is this what you meant when you said tailoring before?

Drew Church:
Yes, exactly. It is, “Hey, what do I want to do? What do I not want to do?” It can’t be, “I don’t want to dit because it’s hard and I don’t want to do it because it’s too expensive.” Now, there may be this costs too much based on the… Again, it’s the old you don’t apply a $10,000 security control to a $5 hamburger. You don’t do that. That may come out in the wash, but if that’s your only reason is this is an X-dollar number and you aren’t actually making a risk, that’s not your decision at this point. You need to be bringing all those people in to saying, “Hey, what is the right amount of stuff?”

Jason Dion:
Yeah. I think Drew gave a really good example of these aircraft are computerized and you don’t want them to have a lock screen. Another good example of this is when I was in the Navy, I was getting a system through RMF that was specifically being used by watchstanders who have a 24/7 watch, and there’d be three different people who would stand that position. Now, they couldn’t afford to log out of the computer, which was running Windows 10 or whatever, wait the three minutes, and then log back in because during that three minutes, there was time that bad things could be happening and that watchstander couldn’t do their job.

One of the controls says every person needs to log in individually with their user name and password using a smart card and a PIN. That way, you have multifactor authentication for all these good security controls. That’s great, except for the fact that it takes three minutes to log out a user and log in the next one. What we had to do was create an exception based on that category and control that said you must have multifactor user identification using a PKI certificate, and we were able to get a…

Kip Boyle:
An exception?

Jason Dion:
… an exception, thank you. My brain stopped working, an exception to that rule that allowed instead of having to have them log in and log out each time that for that particular thing since it was a watchstander.

The goal of that control was to figure out who was using the computer at a given time if there was a security breach. We had to do something like having a log, so the person would actually log in. I have the watch, I’m now in charge from midnight to 8:00 AM, and now Jason’s on watch instead of Drew, so Jason gets blamed if something happens at 3:00 in the morning.

Kip Boyle:
Oh, so you actually got-

Jason Dion:
[inaudible]-

Kip Boyle:
… a pen register.

Jason Dion:
… now an administrative control instead, right That met the requirement for the-

Kip Boyle:
Right.

Jason Dion:
… system using the logic of we can’t be offline for three to six minutes cause people are logging in and logging out.

Kip Boyle:
If I’m taking watch from you, Jason, you’re picking up a pen or a pencil and you’re signing in a log saying, “I’m out of here,” and then Kip picks up the pen or pencil and signs in and says, “Okay, it’s me,” and that is the change of ownership on that account.

Jason Dion:
That’s exactly what they did, yeah, and it was basically I signed out, I no longer have possession, Kip now has possession and he’s in charge. Exactly.

Kip Boyle:
I love that. That’s a fantastic example.

Jason Dion:
Yep. Now, it’s not-

Kip Boyle:
That-

Jason Dion:
… as good technically, but it works administratively, right? It met-

Kip Boyle:
Mm-hmm.

Jason Dion:
… the requirement using that tailoring of, what does the system need to be done? Same thing if you’re on the back of a EP3, for instance, you can’t afford to log out when it’s the next person’s time to take their six-hour watch.

Kip Boyle:
Right [inaudible].

Jason Dion:
You need to continue that mission the entire time. You have to be able to have these type of controls that can be tailored to your particular unique environment.

Kip Boyle:
Love it.

Jason Dion:
All right. Can we move to number four now, Kip?

Kip Boyle:
Yeah, please.

Jason Dion:
All right, number-

Kip Boyle:
Sorry for the-

Jason Dion:
 … implement.

Kip Boyle:
 … hesitation.

Jason Dion:
At this point, we are going to implement all these controls. We picked out all our controls, we’ve categorized our system. We said, “Here is the 3,000 controls that we’re going to implement on this new server before we hook it up. What do we do now, Drew?

Drew Church:
Yeah, and I think as we… I think about the audience of this podcast. I think a lot of the people probably listening aren’t going to be ones doing a lot of the implementation, so my advice here is really about what your role of that is going to be. If you’re an administrator, you know this is where your job starts and things get really hard. I think one of the big pictures here is like, “Okay, so a security control says I need to have multifactor authentication.” It doesn’t say what vendor I’m going to use. It doesn’t say what tool and technology or process inside of that I’m going to use. Now, there are some caveats to that. There are in the concept of organizationally defined attributes, these will be listed within the controls that say as, “Hey, here are maybe specific timeouts.” That 15 minutes would probably be an organizationally defined attribute.

here may be other types of prescriptive nature coming from the very highest levels of whatever organization you work with that may say, “You are going to use this piece of software or this hardware,” but that’s very rare. This is where the people have to figure out what they’re going to do to meet these controls. Outside of the Department of Defense and the United States, this is the hardest thing because they’re like, “Oh, I just got to do the MFA.” Now, I work in the commercial sector now in my role at Splunk, but my background is actually over 10 years working for the Navy as well. We just… This is what you’re going to do. You have these things. Here’s the tool, here’s the technology, and you’re just going to do it because you’re not thinking about that at the level.

If you’re a commercial or maybe a private business that’s working in support of a contract, you’re going to have to start thinking about these things. My biggest piece of advice to anybody here that’s never heard this is what some, and I think Jason might think of us as a four-letter word and I’m going to say it, STIGs. What these are do are super security technical implementation guides, and these say… They’re each tied to a control, an RMF control that says, “Hey, if you have to implement multifactor authentication as this control, there’s a cross reference. Here’s technologies that you can use and here’s literally the step you have to follow to enable it on that tool or technology, or that platform, for example.

 I make it sound very easy and it’s not that easy, but that’s some great guidance that can get you started. I think that’s a really important thing to understand is implementation is hard and it takes time. The next thing I would say, Kip, on this is implement part of this, and there’s a lot of Excel spreadsheets and timelines. The project management skills are going to be important here, and when you start building out your implementation plan, you have to give dates. If you lie here, your life got a lot harder and will be forever impossible. This goes all the way back to that selection as well.

If you said, you were like, “That control is never going to get implemented in my system,” and you let it through into the implementation,” now you’ve got to say when you’re going to have it done by and how much it’s going to cost and who’s going to do it. You’re kind of building a RACI chart. If you don’t give realistic timelines and you are trying to say that you will do these controls that you’re never going to do, you enter this do-loop and you’re just never going to get out of it. That is where folks get into a lot of trouble.

I know we could talk for hours, but this is where you get into this whole concept of POAM extension, your dates weren’t right, it’s just a whole thing. When you’re doing your implementation, it’s very important to actually talk to the people that are going to be doing the work. Talk to your resource managers if you’re like a project management organization. Say, “Here’s the work. What’s your estimate? Then, listen to them.” If they said it’s going to take six months to get this done and you put down three months, you’re at fault, not them. You can’t just… It’s the old adage, nine women can’t make one baby in a month, right?

Jason Dion:
Yeah.

Drew Church:
Like-

Jason Dion:
Yeah, yeah, yeah.

Drew Church:
… it’s just going to take what it takes and you have to listen to your experts here, and so every-

Kip Boyle:
Oh-

Drew Church:
… if you’re an executive… Oh, go ahead, Kip.

Kip Boyle:
 used a term that I don’t know if everybody understands.

Drew Church:
Sure.

Kip Boyle:
POAM, and that’s a program-

Drew Church:
Okay, yeah.

Kip Boyle:
…of action-

Drew Church:
Plan of action-

Kip Boyle:
… plan of-

Drew Church:
… and milestone.

Kip Boyle:
… yeah, plan of action-

Drew Church:
If they don’t [inaudible] say-

Kip Boyle:
 … and milestones.

Jason Dion:
I’ll use a great example. I want to get security plus certified. Well, I can come up with a POAM that in the next 90 days, here are the things I’m going to do. In the first week, I’m going to read the textbook. In the next three weeks, I’m going to watch the videos. In the next month, I’m going to do the labs. The next month, I’m going to do all practice exams. By doing… These are all of the things I need to do in order to get to my final goal of passing the certification. It’s the same thing. If I said I wanted to implement MFA, that might include buying the software, getting the software approved, getting the software installed, getting the software configured. We’re going to say, “Okay, that’s going to take a month, three weeks, two months, five months, whatever it is. That total time now is nine months, whatever that happens to be-

Kip Boyle:
It’s kind of just a project plan.

Jason Dion:
… and it has to become part of [inaudible] plan. Exactly, it’s just a project-

Kip Boyle:
Is it-

Jason Dion:
 … plan.

Kip Boyle:
… just a project plan? Okay.

Jason Dion:
Yeah, and the other term that I heard Drew say that people may not be aware of is RACI, R-A-C-I. This stands for the responsible accountable consulted and informed. Essentially, when you’re doing a project, this all goes to my project management side of my courses. When you’re doing any kind of project, and RMF is a large project essentially of trying to get the system approved, you need to figure out who is doing what and who is being consulted and who’s being informed.

For example, we were getting this podcast ready. There was several people involved and some were responsible for things like I was responsible to reach out to Drew and figure out a good date and time that works for his calendar and my calendar and Kip’s calendar. Kip was accountable for doing some research on RMF so he was ready to open up the show. Then, we had people who were consulted, like we may have had to consult Drew’s wife to make sure that she was okay for letting us borrow him for this hour instead of him calling her tonight and things like that. You have these four roles that do take place, and as you go through RMF, you will assign different roles and different responsibilities and actions and information based on what you’re doing as you’re going through this process.

The other thing I wanted to bring up real quick is implement. Drew said for most people on the podcast, you may not be involved in the implement stage unless you’re a system administrator. I know we have a lot of people in our audience who are system administrators trying to break into cybersecurity as well, so the place where you might be involved with RMF is doing all the implementation as opposed to doing the paperwork process of the categorization and selecting controls. Remember, when you’re doing your resumes, these are transferable skills because when you’re doing that implementation of putting in the multifactor authentication, you are doing cybersecurity.

In fact, you’re doing a very important part of cybersecurity in securing the  system. A lot of people don’t think about that when they’re implementing their different controls, registry edits, installing patches and things like that. That all is-

Kip Boyle:
Yeah, they don’t.

Jason Dion:
.. cybersecurity work, so keep that in mind. Again, I think Drew brought up a great example when he talked about MFA as a good example. You might have a system that says you must have MFA, and in the DOD, there’s a lot of systems that don’t always have a access to smartphones. Using an MFA solution that requires a text message is a horrible idea because most people can’t bring their smartphone to work because they’re in a secret or top secret space. That would not be a good implementation of MFA even though it meets the RMF requirement.

This goes back to your preparation stage and identifying, what is your system? Where is it going to be used? Then, deciding where it’s going to be. For instance, if I’m in a submarine under the water in the middle of the Atlantic, using a two-factor authentication that relies on a text message code is not going to work. Instead, we use what the DOD has decided for most of the services is that they have to have a smart card, which is their ID card, and a PIN number. That’s something you have, something you know, and that is kind of the de facto multifactor authentication on every system in the DOD, and it works really well because it doesn’t rely on this third-party text messaging-type system.

Kip Boyle:
Fascinating.

Jason Dion:
All right, next one, we’re going to move into number five cause I know we’re starting to get low on time here. Next one, number five is assess, so here now we’re going to do our assessment. We’re going to assess to determine if the controls have been put in place properly from the implementation standpoint and if they’re actually working the way they should and producing the desired results. Drew, I’ll kick it over to you for, what are your thoughts on assess?

Drew Church:
Yeah, I think this is honestly the easiest step to do if you know what you’re doing, and the reason I say this is it’s an open book test. This is you’re generally not going to be assessing yourself. There’s going to be some kind of third party, and I don’t want to say that’s going to necessarily be an external third party, meaning they don’t work for the same organization.

Generally speaking, the assessment of your system against Risk Management Framework controls is going to be by some kind of person who doesn’t report through your same reporting chain. Maybe not your same… It’s a third party of some kind. They follow a guide, and that guide is the assessment procedures for these controls. Those are contained in a different publication and that’s NIST Special Publication 800-53 A or Alpha. That has the entire process by which these controls will be assessed.

My secret to being successful in this process as somebody who was almost always on the other side of it and not being an assessor, was actually reading their checklist. That’s what they’re going to go do, so if I know what they’re going to do in advance, I can make sure that I have the right documentation. I know how they’re going to examine it, so I may have done it and I’m familiar with how to show them how it’s going to be done here, but that’s not how they check it. It says over here how they check it. I go check it their way and I’m like, “Oh, okay, I didn’t realize that that… whatever.” You know it’s done, but you’re proving it to the test. You’re answering to the test.

I’m sure Kip and Jason have talked a lot about the what’s right answer to a question. It’s the one that the test writer wanted you to get, and they’re giving you the test ahead of time. Go read 800-53 Alpha. That’s the short version. The next bit of that is understand three key words, and this is to all of the people who might perform an assessment because they get tapped on the shoulder to come help a team. There are three concepts, observe, interview, and test. These are how things will be assessed. Observe, go watch it happen. If you said that the screen lock was going to do in 15 minutes, get a stopwatch out. Wait 15 minutes and, did it lock with no inactivity? Okay, yep, passed the test.

nterview, very simple. Go talk to people. Go talk to a couple of people. Did they give the right answer? Good. Test, now on the screen lock one, you kind of observe and test, and so there’s some crossover here, but maybe if you said it’s a multifactor authentication, try to somebody, have them provision you a user account and with a user name and password, and then go try and log into a system. If the system doesn’t let you log in because it now asks you for some kind of second factor to authenticate into that system, you’ve now tested to say that that’s successful.

Those are really like that’s the whole process and they’re just doing that for all of controls. Money and time are not infinite. Different assessors and the organizations that support them are going to have different skill sets. They’re going to have different priorities, and they’re going to probably have communications with whomever the authorizing official, which we’ll get to here in just a second. What they care a lot about, a quick story here is I’ve done a number of systems on a very traditional streamlined RMF process following the same people that Jason’s worked very closely with.

hey have a very regimented process. Here’s how you’re going to do absolutely everything. There’s no room for deviation because it’s really a gigantic bureaucracy. Things are getting better, but it’s still, at the end of the day, it’s a long process. Very strict in the process. I’ve worked on the side doing for other people to have it that do RMF, but they do it a little different way, and literally the person that was doing the assessment for the package called the authorizing official at the kickoff of the assessment and said, “What do you care about?”

That conversation really fed into the entire assessment plan of what we were going to do and how we assessed the system. It was much more effective and we got out what they cared about because they were the people who owned the information. I think that was really important, and I hope that as people maybe embark on their own organizational journeys of RMF are people listening and maybe there’s somebody in a DOD organization that’s like in charge of something like, “That’s a great way to do this.”

The last piece of advice on assessment that I would say here is give grace to one another because a lot of the time the people coming in to assess you aren’t going to know maybe your system as well as you do or the tool or technology that you chose to do it. They’re going to maybe ask what are perceived to be ridiculous or silly questions or maybe make them appear to be ignorant. They may be some of the smartest people, but they just don’t know how this particular vendor’s product implements that control.

Going back to what we talked about a little bit before, and it sounds like Kip and Jason have talked at length about this, this goes back to your soft skills. Understand that these people are not your enemies. It may feel like it’s a battle. It may feel like it’s a war and they’re adversaries. Don’t treat them that way and this will be a much better time.

Jason Dion:
Yeah. The other thing I would say that I’ve had a lot of success with the RMF process is, as Drew said, knowing what you’re being graded on and the format that they’re expecting to see that in. There may be things where it says, “Are you doing proper logging?” That person may want to do that as simply an interview and go, “Hey, Drew, do you guys do logging?” “Yes we do.” “Okay, check, move on.” Or, you may get an assessor who’s saying, “Well, show me your logs. Show me exactly how often you rotate your log. Show me how you’re protecting your logs and you encrypt them. Show me all of these things.” In which case you got to log in the system and show them that. If you already know ahead of time what you’re going to be asked, you can actually have all this stuff ready to go.

I had one system I was doing an RMF on and they originally scheduled a week-long assessment. We were done in two days because by the time they showed up, we had everything printed out. We had all the checklists. We knew exactly what to show them. I had basically a big binder and I just walked them through everything and they go, “Great, you guys are good. Check, move on. We’re out of here.” There is some of that, and then the other thing I wanted to mention as far as the assess goes is for those of you looking for a cybersecurity career, this tends to fall into the IT auditing bucket.

If you’re going to be an IT auditor, very checklist-oriented, very much checking, are these controls right? Are you observing them? Are you testing them? Are you interviewing about them and making sure that they’re meeting all of the requirements that were set back in the categorized and select? Now, remember, all the way back in step two and three, we categorized and we selected what we are going to basically be graded on by choosing all those different controls. Now, it’s our turn to live up and show that, yes, we’ve made those controls actually a reality.

All right, number six, this gets to be what should be a very easy part, which is the authorization place. In the number six of the Risk Management Framework, we go to authorize, and this is where your senior official is going to make their risk decision based on whether or not they want to authorize that system to actually be able to operate. If I was in the military, for instance, and I went through the RMF process, I’ve got this brand new system that’s going to connect to the top secret network, somebody has to say, “Yes, you can connect that.” Now, where this gets a little funky in the real world is sometimes they have a hard time figuring out, who is the senior official who should actually be the one to make that risk decision?

We could talk a little bit about that as well, but Drew, from your perspective, what have you seen that are challenges inside this authorization space? For me, the biggest one I’ve seen is the finger-pointing of, who is the right authorizing official?

Drew Church:
Yeah, fortunately, I’ve never had the, who is the right person? We know exactly who the right person is, but they just don’t have time, and so really I talk a lot about in my civilian capacity about zero trust. It’s in vogue right now. Here in RMF, you got to have some trust, and so if you’re an authorizing official, these things need to be delegated out. Maybe you have an expert of these types of systems. Maybe you have a delegated authorizing official for healthcare systems because they are very up to speed on all of the latest in HIPAA and all as we look at a global company and organizations, the different nuances there. They’re the ones that get to make that risk decision unless there’s like it rises to some high level. As practitioners generally speaking, this is where people in suits and ties wearing scrambled eggs on their hats that we call covers, very important people are having conversations.

This is where there’s going to be a lot of prepping your boss to go have meetings and just be honest and truthful, but give them what they need to know and not a whole lot of extra stuff. This goes back, you probably heard talking to a lawyer. “Hey, do you know what time it is?” The correct answer is yes or no. It is not, “It is 5:36 PM.” Just say, “Yep. Hey, is this control done?” The answer is yes. The answer is no, “No, and it’ll be done by this day,” or whatever happens to be. I think that’s really important. Other than that, this is up usually if you’ve done everything above it, it’s a check and you move on. There’s usually some kind of formal documentation, and if that formal documentation happens, that’s when there’s a huge party and you print it up like poster size, tack it to the wall. Everybody goes home and 59 minutes early.

Jason Dion:
Yeah, yeah, so when we talk about authorize, the cases where I’ve had issues is specifically about five to 10 years ago, the Navy started doing a switch and they created a Fleet Cyber Command that was now in charge of authorization. Well, a lot of the other commanders in different fleet areas like the Pacific region or the African region or the Europe region thought, “Well, hey, I used to be the authorizing official for all these computer networks. I still should be able to because it’s operating in my network, in my geographical region.” We had a lot of fights in there of, “Who was the authorizing official? Why could these people who used to be able to be authorizing officials no longer become authorizing officials? When can they still act as an authorizing official?”

There was… I think a lot of that has gotten fixed over the last five, 10 years, but that was something I saw a lot of, a lot of finger-pointing back and forth with some of this where people just didn’t know who was the person who was authorized. They go, “Look, I got approved.” They’re like, “Oh, no, that person wasn’t actually authorized to approve that.” That became an issue, so-

Kip Boyle:
You know, that’s fascinating because I thought what you were going to say is that people were fighting to not be the authorizing official because that’s what I see in the private sector where I would go to somebody and say, “Will you please sign off on this risk?” They’re like, “Mm-mm. Nope, not me. I don’t sign off on risks.” It’s like I couldn’t get anybody to sign anything.

Jason Dion:
Well, that became a real big issue, especially… You know, I can speak for the Navy because I spent a lot of years working in and around the Navy, and what I saw was the operational commanders, they want to be able to approve it because if they can approve it, they can make that process go as fast as they need. When they have a brand new system, they say, “I want this on here because it can do this new thing I need to be able to fight this war.” I don’t want to wait two years for our Fleet Cyber Command to eventually get around to going through the seven steps. They just wanted to fast track it by doing everything internal to their staff. They would do their own categorization, selection, implementation. They’d assess themself, and then bring it to the admiral.

Drew said the scrambled eggs, that’s it’s yellow on the top of their cap if you’re an 05 or above in the pecking order of rank in the military, at least in the Navy. That’s how you tell who’s the important people is if they have this scrambled eggs on their hat. They want to be able to sign in and say, “Yep, go ahead and connect that thing.” There’s a lot of issues because of the way the networks are built with the Navy that you can’t always do that because they only see their little portion of it, not the larger network that everybody else is tied into. That’s where I’ve seen a lot of problems with the authorized steps, so just keep that in mind. Depending on where you work, that may become an issue.

As Drew said, if you prepare ahead of time, the authorization step should be fairly quick and fairly painless. The biggest thing is just getting it onto their desk because by the time you’re done with this RMF package, it’s a hundred, 200, 300 pages of documentation, and trying to get somebody’s attention to go through that and then say yes, that can be the time-consuming part because it’s just so long. They go, “Oh, I don’t have time for that today. I’ll get to it tomorrow.” Then, three months later, they’re still, “I’ll get to it tomorrow.” That’s kind of the biggest issue I’ve had with the authorization piece of it.

Then, the last step we get to is monitor, which is step seven, and this is where you’re going to continuously monitor your control, implementation, and all the risks to your system, which is the end of our seven steps. At this point, you’re basically doing all the work of a cybersecurity analyst to make sure your risk controls are meeting the need, that people aren’t breaking into your network, that everything is working properly. If it’s not, then you want to go back and select some new controls to mitigate new risk and be able to go through.

One last thing I forgot to mention as far as authorized, the outcome of authorized, there’s three possible outcomes you can have. One is you could be accepted and you get your three-year authorization to operate. One is you can be rejected and they say, “Nope, you’re not secure enough. I’m not willing to accept the risk. Too risky, go away.” Then, the third is you can get what’s called a interim authority to operate, or IATO, which gives you 12 months essentially to say, “You’re still kind of risky. I don’t want to give you a full authorization, so I’m going to give you the authority to start working the system, plug it in, get it going, but based on your POAM, over the next 12 months, these are all the things you need to fix in order to go from this IATO into the full ATO.”

I’ve seen a lot of IATOs over the years. The biggest problem with that is now it’s a one-year refresh cycle instead of a three-year refresh cycle, and so you are going to have to go through this RMF process and go through your POAM pretty quickly to make sure it’s authorized. Otherwise, they will pull you off the network in a year, so keep that in mind as well. Sorry, back to monitor now. Drew, what are your thoughts on monitor?

Drew Church:
No, I think that’s actually a really great point. I’m glad you brought up the results of the authorization step because it does feed into monitor significantly. You tied it in beautifully. If you’re a SOC analyst right now, why are you doing that? The answer should be because people have made a risk decision that have said, “Hey, the way we’ve staffed this, the way we’ve funded, the way what tooling we’ve put in there, all of the sensors and things sending it into your SIM, there’s a reason for all of that. It shouldn’t just be because I thought it was a good idea or I listened to Kip and Jason’s podcast.” Well, maybe you should do that, too, but I digress.

The other reason you might be doing something is because of that interim authority to operate, and sometimes you’ll also hear that called ATO with conditions. Those conditions will be maybe you have to have some kind of enhanced monitoring or some other kind of like, “Hey, we’re going to be checking at this like every week, every two weeks, every month,” whatever it happens to be. Maybe, look, like this has happened to absolutely, I think, everyone at some point or another. You’d have to do your vulnerability scans because this is not always a continuous process. It is definitely moving that direction with tools that do things all the time, but everyone’s familiar with vulnerability scanning.

Microsoft Patch Tuesday comes out. Your scanners are updated. Boom, you’ve rescanned your network on Wednesday because that’s when you had that schedule for your entire package to do, and man, you have the latest like zero-day vulnerability. There’s not even a patch out, literally, so you have 10.0 CFSS scores on every single host, but you have to submit that process. You go through this entire thing and they say, “Okay, the condition is in 60 days from this date of this letter or this approval, you have to submit scans that show those are all gone.” That all goes into that monitoring step.

doing your continuous things, your vulnerability scanning. We call it cyber hygiene in this industry. You’re eating your fruits and vegetables, you’re having a salad with lunch instead of the burger again. I had a salad and a-

Jason Dion:
Washing your hands.

Drew Church:
… oh, absolutely, you’re cyber washing your hands. That’s really what the monitoring step is because the goal and the dream of this, and this is why I want to leave… People might be disheartened at this point. I want to leave them with the nugget. If you’ve done all of this properly and everyone’s bought into it, the monitoring step gets rid of that three-year number, right?

Jason Dion:
Mm-hmm.

Drew Church:
You’ve agreed and this is how we’re going to manage this system that we’re going to operate it on. If they’re going to do some spot checks, they’re going to do some inspections sometimes, some assessments, but ideally, until there’s major changes in the system, we’re just going to operate on this cadence, and so that monitoring step is critical. That’s where you do what you need you said you were going to do, have your evidence or objective quality evidence, whatever you happen to happen to call in your world. It’s your, “Hey, I said I was going to check this log every third Tuesday at 6:00 PM in my implementation plan.” I have to have the logs that show I did that, so you’re doing all of those things that you said you were to make sure that the controls are doing and continue to do what you configured and set them up to do.

Jason Dion:
Awesome.

Kip Boyle:
All right.

Jason Dion:
Yeah, so I really appreciate you sharing your wisdom with us on RMF today, Drew. I know this was kind of a longer episode than we’re used to doing, but I thought there was a lot of great information, especially for people who have really dealt with RMF to kind of see behind the scenes, what does process look like as you move through your seven steps of prepare, categorize, select, implement, assess, authorize, and monitor? If you want to learn more about RMF, stay tuned. We have another expert that’s going to be coming in that’s going to talk with us about RMF.

One of the reasons why we started bringing all of these experts in and start pounding them with all these different questions is because Kip and I are currently working on a Risk Management Framework course that will be the sister course or brother course, sibling course, to the NIST Cybersecurity Framework course that we did earlier this year. That’ll be available on Udemy and Udemy for Business. If you want to learn more about RMF, that should be coming out in October timeframe, and we’ll be doing a deep dive into RMF and all the different pieces and parts of it and how you do this in the real world and really dive into it.

I think we did a really good job today of giving a really good overview of those seven steps and where the real world intersects because sometimes you read these books and they say, “Hey, here’s how it’s supposed to work.” Then, you see what it’s like in the real world and they don’t always line up. There’s some of those things where your soft skills have to come into play if you want to get through this process sometimes. The book won’t tell you that, but it’s something that real-world practitioners like Drew can tell you from experience that that happens all the time. That’s kind of why we took the time to do that today. Before we close up the episode, I’m going to see if Drew has any final comments or any words of wisdom to share, and then I’ll go over to Kip.

Drew Church:
One thing you said that really resonated with me, Jason, was if you’re trying to get into cybersecurity, things like there was implementation about implementing security controls or maybe doing some kind of IT auditing. These are great places to get into it and, quite frankly, my story and my entry into cybersecurity was implementing controls based on an RMF package, particularly vulnerability management. I started as an administrator and I got into this business through embracing Risk Management Framework and saying, “Hey, this is the rules of the road. I want to know how they are.”

I became kind of a subject matter expert and that opened a multitude of doors to go do cool things. I know cool things in RMF don’t always fit, but believe me, it opened a ton of doors, and so that really resonated with me, Jason, because that’s literally that’s my story. I hope that becomes a story for other people that are listening to this podcast.

Jason Dion:
Awesome. Thank you, Drew. Kip?

Kip Boyle:
 I just want to thank Drew for his generosity and his willingness to share what it’s really like to work with RMF. Thank you so much, Drew.

Drew Church:
Kip, absolutely. Thanks for having me.

Jason Dion:
Yep. Thank you again, Drew. I really appreciate you taking the time today, and for everybody else, thank you again for spending another episode of Your Cyber Path with us. You can always find this and other at yourcyberpath.com, and we hope you join us again next time. Thanks.

Kip Boyle:
Thanks everyone.