Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Risk Management Framework (RMF)
Transition
Operation Triton Bastion (OTB) OPORD 19-058
FCC NAO Distribution List:
FCC_C10F_SUFF_NAO_RMF_CAMPAIGN_PLAN@NAVY.
MIL
Additional information is accessible via the Fleet Cyber
Command Operation Triton Bastion Portal:
URL— https://usff.navy.deps.mil/sites/fcc-c10f/NAO/
SitePages/RMF%20Campaign%20Plan.aspx
U.S. FLEET CYBER COMMAND MISSION
The mission of Fleet Cyber Command is to plan,
coordinate, integrate, synchronize, direct, and
conduct full spectrum of cyberspace operational
activities required to ensure freedom of action across
all of the Navy’s warfighting domains in, through, and
from cyberspace, and to deny the same to the Navy’s
adversaries.
"Understanding and knowing our DoDIN is a must
do in order to C2, operate, defend, configure, and
maneuver in and throughout CYBERSPACE.”… “If
you don’t know what you have to operate, then how
can you know what you actually have to defend?”
Mr. Manuel Hermosilla, SES
Executive Director, Fleet Cyber Command/C10F
CONTACT US
The Risk Management Framework (RMF) for the
Department of Defense (DoD) Information
Technology (IT) mandates the management of
cybersecurity risk across the enterprise through the
adaptation of the National Institute of Standards
and Technology (NIST). RMF uses a risk-based
cybersecurity approach for enterprise-level
authorization of IT systems and services. New
acquisitions should be in alignment with DoD
Acquisition phasing and informed by the RMF to
ensure cyber readiness from the start.
RMF provides three (3) significant improvements to
how the Navy manages cybersecurity risk. First, it
incorporates cybersecurity capabilities early in the
design of a system’s capability. Second, it increases
the emphasis on continuous monitoring of security
controls during a system’s life cycle. Third, it brings
the Navy’s platform IT, combat systems and indus-
trial control systems under the same procedures.
WHY IS RMF IMPORTANT WHAT IS THE DESIRED END STATE
Accomplishing the objectives and lines of efforts will
require Navy-wide focus. They Navy is counting on
Echelon II and system owners to take responsibility,
accountability, and authority to move the campaign
plan forward and meet the Navy’s goal to transition to
RMF by December 2020. The RMF cybersecurity focus
which is integrated throughout a systems life cycle
enables a common risk lexicon, common cybersecurity
framework, and improved cybersecurity readiness
through alignment of RMF Steps with DoD acquisition
activities. Navy working groups are meeting to continue
to refine processes and smooth RMF transition.
The Department of Defense (DoD) requires all services
to transition from the DoD Information Assurance
Certification and Accreditation (DIACAP) to the Risk
Management Framework (RMF) by 31 December 2020.
This effort is intended to reduce the Commander’s un-
certainty in the Navy’s cybersecurity posture while
meeting statutory and policy requirements of RMF.
Through the RMF Campaign Plan, Fleet Cyber Command
(FCC) issued an Operational Order (OPORD) - Operation
Triton Bastion (OTB), due to the need to speed the
completion of the RMF transition. It’s purpose is to
transition all existing DIACAP authorizations to RMF by
December 2020. The operation execution efforts will
drive increased data collection and metrics to measure
progress. There are various Tiger Teams chartered to
develop and implement process improvements as
required to assist stakeholders with initial RMF transi-
tion and follow-on activities.
"Risk Management Framework is Operational Risk
Management (ORM) for Cyber Security.”
Dr. Charles Kiriakou
Fleet Cyber Command Navy Authorizing Official
Through this effort, it will allow us to align the Navy
with DoD policy and processes using a common lexicon,
implementing continuous monitoring to be better
positioned to understand and manage cybersecurity
risk. Cybersecurity integration will result in more
dependable and resilient trustworthy systems that will
significantly increase the Department of Navy’s (DON’s)
ability to protect, detect, react, and restore system
operability, even when under attack from a capable
cyber-adversary.
WHAT IS OPERATION TRITON BASTION This operation to transition to RMF will address three (3)
Focus Areas, with eight (8) Lines of Efforts (LOEs) and exe-
cuted in three (3) Phases (planning, transition execution,
and validate and assess).
WHY IS OTB IMPORTANT
"When it comes to setting the Navy’s cyberspace theater, our
NAO provides us the first outlook into our cybersecurity
posture, and our Office of Compliance and Assessment (OCA)
ensures the first look is accurate.”
Vice Adm. Timothy “T.J.” White
Commander, U.S Fleet Cyber Command/U.S. Tenth Fleet
WHY IS RMF IMPORTANT
UC 1 New DIACAP Certification (CD) – (Issued after 1 Oct 2016)
- Granted an initial DIACAP ATO up-to 18 months to migrate to RMF - Upon conversion, granted up-to 18 months to complete full RMF
UC 2 Existing DIACAP ATO with less than 3 years remaining – (Issued before 30 Sep 2016)
- Upon conversion, granted additional 6 months on DIACAP ATD to complete full RMF. Sunset as of September 30th, 2019
UC 3 For CAR or HREAG with outstanding vulnerabilities pre-venting issuance of full 3 year RMF ATO
- Upon completion of RBC requirements, system will receive an RMF ATO (RMF ATO with Conditions for High/Very High Risk) - Length of bridge authorization is based on the understanding of risk not to exceed 12 months
UC 4 Use of assessed and certified risk of a DIACAP submission to issue an RMF vice DIACAP ATO
- Authorization may be issued up-to 12 months unless there is High or Very High Residual risk; HREAG will determine duration of authoriza-tion with conditions - For Afloat units, refer to RMF Transition Afloat Way Forward NAVADMIN 197/19 (DTG 231550Z AUG 19)
UC 5 Current DIACAP C&A Authorization or new RMF A&A
- Open to wide variety of participants; based on a set of critical secu-rity controls implemented using an overlay in eMASS - Engaged in DIACAP activities but have not submitted assessment artifacts to the SCA - Engaged in RMF authorization activities but have not completed RMF Step 2 Security Plan approval process Using the Use Case 5 overlay will overwrite previous security control
selections and security control select
UC 6 Facilitate transition of information system (IS) to RMF
- Engaged in DIACAP activities that have submitted validation results/artifacts to the NAO/SCA for review - IS will receive an RMF Security Assessment Report (SAR) vice a Certification Determination (CD) and be granted an RMF ATO
OBJECTIVES AND LINES OF EFFORTS RMF OFF-RAMPS (ROR) The NAO is assisting with fast-tracking transitions through
the issuance of RBC Use Cases via the RMF Process. The
RBC process provides six (6) “off-ramps” to transition to
RMF and leverages a valid DIACAP authorization to give
credit for work that has been completed.