RMF uses a risk-based cybersecurity approach for enterprise-level authorization of IT systems and services. It incorporates cybersecurity early on in system development and promotes continuous monitoring of security controls throughout the system lifecycle. As a rigorous six-step process, its end goal is to receive authorization to operate (ATO) on the Navy’s network.
RMF packages include several plans that formally document the scrutiny given to a system before it can receive an ATO. Currently, the Navy’s RMF process takes roughly 6-18 months to achieve authorization. With over 2,000 Navy systems, this represents significant manpower, time, and costs with hundreds of labor-intensive, manual transactional processes without optimized process flows.
The RMF Factory aims to stabilize and automate RMF package development and processing to enable operationally relevant, risk-informed authorization decisions.
"The factory serves as a forcing function to clearly identify the process, develop standard operating procedures for RMF, and mechanize them using the theory of constraints," said Rob Wolborsky, NAVWAR chief engineer. "This has resulted in significant process automation and a major reduction in complexity, resources, and time to get through the process. A real get better moment!"
The team has shifted from the RMF Automation and Process Streamlining (RAPS) tool to the RMF Automation Factory Tool (RAFT). Using this Microsoft Access tool, they were able to build out automations and provide the users with the same graphical user interface to perform complete package quality auditing in accordance with current U.S. Navy standard operating procedures.
Similar to RAPS, RAFT integrates with Enterprise Mission Assurance Support Service (eMASS), a government owned web-based application with a broad range of services for comprehensive, fully integrated cybersecurity management.
Once a user downloads the tool, it will also come with:
• A basic change log that will identify errors reported by users, adjudicated by the team, and then fixed/upgraded
• All applicable standard operating procedures in the event a user would like to view the Word version
• Other applicable templates
• A comprehensive guide designed to assist users with progressing through the RMF Factory workflow
The RMF Factory also has a dashboard view, which provides the status of current systems by eMASS and Factory workflows in a visual format. This includes current key performance indicators related to Factory usage, average days spent in eMASS workflows (ADW), and the historical trends with that metric, average rework within workflows, and first pass yield.
“RAFT is simple and easy to use, less cumbersome than the old checklists, and extremely thorough,” said Samantha Welch, RAFT user and information system security engineer. “I recently went through a full reaccreditation using the RAFT tool and got a first pass yield. When I didn’t t use it, there were mistakes and the package came back to me for rework. RAFT is now one of my top tools that I will use as an information system security engineer.”
In March 2023, NAVWAR Commander Rear Adm. Doug Small signed a memorandum mandating the use of the RMF Factory for all NAVWAR-affiliated systems when obtaining a new authorization or re-authorization.
In an effort to lead other Navy and Department of Defense stakeholders to improved RMF processes, the team offers weekly RAFT trainings, which includes a live demonstration and allotted time for any questions.
Moving forward, the team aims to improve the logic within the workflows that will help to better identity if systems may be erroneously in the wrong Factory step or in need of assistance. The goal is to help identify any workflow issues early on, alert the RMF team so that they can take action, and assist the user/system owner.