SAN DIEGO - Naval Information Warfare Systems Command (NAVWAR) completed the transition of more than 1,300 systems from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to Risk Management Framework (RMF), ahead of deadline set by U.S. Fleet Cyber Command/U.S. TENTH FLEET.
The transition began in August 2019, when U.S. Fleet Cyber Command issued an operational order, known as Operation Triton Bastion (OTB), requiring the on-time transition to RMF, bringing the Navy into alignment with U.S. Government and DoD guidance to implement a risk-based cybersecurity assessment and authorization process.
Despite COVID-19 challenges, NAVWAR not only finished the task of moving all systems to RMF, but also finished 6 weeks early, before the Dec. 31, 2020 cutoff date. In addition, NAVWAR consolidated more than 1,300 system packages to less than 500, which will reduce the time and effort required to manage and maintain these authorizations.
“This was an incredible achievement for both NAVWAR and the Navy,” said Ed Lazarski, director of Cybersecurity for Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I) and Space Systems. “Maintaining and accelerating this transition schedule during the COVID-19 telework environment was very challenging. We had to work through less available people, labs, and secure environments but our team was committed to making this transition happen. As RMF becomes more ingrained into the development cycle, incorporating cybersecurity early on will result in increased cyber resiliency, supporting the Navy’s ability to protect, detect, react, and restore system operability, even when under attack.”
RMF uses a risk-based cybersecurity approach for enterprise-level authorization of IT systems and services. It incorporates cybersecurity early on in system development and promotes continuous monitoring of security controls throughout the system lifecycle. It is a rigorous six-step process that can take anywhere from six to 12 months, with an end goal of receiving the authorization to operate (ATO) on the Navy’s network.
The steps include categorizing systems, selecting, implementing and assessing security controls, authorizing systems and monitoring security controls. The sixth step, monitoring security controls, is significant, as it is moving towards a continuous monitoring process throughout the system lifecycle. The goal of this continuous monitoring is to have a properly maintained system that can then maintain its ATO, rather than having to repeat the entire process every 1-3 years, saving both time and money. This would allow systems to stay operational in the fleet longer, given the risk posture has not changed.
Getting NAVWAR systems through the ATO process is a team effort, beginning with program offices and system owners and assisted by the NAVWAR Package Submitting Office (PSO). The PSO conducts quality assurance reviews on RMF packages, performs metrics analysis, and coordinates and prioritizes packages with the Security Control Assessor and Navy Authorizing Official.
Now that NAVWAR has completed the transition to RMF, it is looking for ways to improve and streamline the overall process and reduce the six to 12 month timeline. To achieve this, NAVWAR developed the Rapid Assess and Incorporate Software Engineering (RAISE) process, one of the many RMF reform programs NAVWAR is leading.
RAISE is the Navy’s development, security and operations (DevSecOps) RMF process to rapidly assess and authorize software for deployment to the fleet.
RAISE leverages RMF and applies it to containerized applications, helping the Navy to quickly field applications through pre-approved assessment criteria while bringing automated testing and cybersecurity services into the DevSecOps environment. This streamlined approach significantly reduces the RMF workload and timeline, with applications completing the process in as little as 50 days. It also allows for continuous updating and direct delivery of newer versions of applications to the fleet at a faster pace.
“This is not just speed to capability, it is speed to capability with security,” said Bryan Dennie, NAVWAR cybersecurity division head and RAISE technical lead. “Thanks to the NAVWAR team, RAISE will allow us to deliver safe, secure and reliable applications and application updates at the speed of relevance.”
Approved for use Jan. 2021 for applications hosted on the Consolidated Afloat Network and Enterprise Services (CANES), RAISE will deliver applications to the fleet faster while maintaining cyber rigor.
“Cyber is an all-hands on deck part of our mission,” says Rear Adm. Kurt Rothenhaus, PEO C4I and Space Systems commander. “I’m proud of the whole team’s focus on building increasingly cyber-tough systems.”
Moving forward, as the cybersecurity technical authority, NAVWAR is working to get RAISE approved for use on all Navy applications and is continuing to grow application-hosting platforms.
About NAVWAR:
NAVWAR identifies, develops, delivers and sustains information warfighting capabilities and services that enable naval, joint, coalition and other national missions operating in warfighting domains from seabed to space and through cyberspace. NAVWAR consists of more than 11,000 civilian, active duty and reserve professionals located around the world.