Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Defense Industry Welcomes Initial CSRMC Policy

More information is needed, cyber experts say.
By Kimberly Underwood
The new Cyber Security Risk Management Construct from the Pentagon’s Office of Chief Information Officer wants the construct to produce culture, mindset and processes that “reimagine cyber risk management.” Credit: Shabbir-stock.adobe.com (generated with AI)
The new Cyber Security Risk Management Construct from the Pentagon’s Office of Chief Information Officer wants the construct to produce culture, mindset and processes that “reimagine cyber risk management.” Credit: Shabbir-stock.adobe.com (generated with AI)

The revamping of the military’s Risk Management Framework, or RMF, is a welcome move.

The initial vision of the Cyber Security Risk Management Construct (CSRMC) is a good one and much needed, say cyber experts. They emphasized that the policy must implement cybersecurity as an engineering discipline and get into operations and engineering levels.

The RMF structure—and the policies that preceded the RMF—were a mere checklist approach, with some classifying it as “busy work.”

Joe Saunders, founder and CEO of RunSafe Security, explained that the existing RMF policies were issued at another time, technologically, when cyber capabilities were quite different.

“In fairness, the RMF was created in a technology epoch when cyber risks had to be taken on one at a time, so the line-by-line discipline was important,” he said. “Today, whole classes of risk can be taken off of the table in one swoop, so the dogged allegiance to the line-by-line process keeps next-generation capability in development and in test cycles when it needs to be in the warfighter’s hands.” 

Cybersecurity at the department must be innovative and comprehensive, and come from all levels, including program managers, chief engineers, policy implementers, contract drafters and capability testers, cyber experts say. 
Saunders’ colleague, Doug Britton, executive vice president and chief strategy officer, RunSafe Security, emphasized that, “to keep our adversaries off balance, we need innovation, downrange, immediately so they are reacting to us.”

The Pentagon’s CSRMC improves upon the decade-old framework, although at this time, it lacks detail. The release included a two-page policy outline and a graphic (see below). An expected CSRMC implementation plan and funding were delayed due to the government shutdown. And to some, the policy that was issued in late September, just before the end of the fiscal year, seemed rushed, with typos and other editorial mistakes. 

Officials from the department’s chief information office (CIO) declined to be interviewed during the shutdown. The office is led by Katie Arrington, who is performing the duties of the CIO—as of late November, Kirsten Davies’ nomination to become CIO was still pending. 

The policy outlines five phases for CSRMC, including design, build, test, onboard and operations. In the build phase, organizations would strive to achieve initial operating capability for their systems based on secure designs. For the test phase, the policy calls for comprehensive validation and stress testing before full operating capability can be approved. Those in the cyber industry are looking forward to details from the Pentagon about how this validation and stress testing would be conducted. 

Organizations would also need to implement automated security and continuous monitoring to provide “sustained” system visibility, the policy stated. During the continuous operations phase, organizations should use real-time dashboards and alert mechanisms to provide immediate threat detection and rapid response.

The initial policy also sets 10 “tenets” for CSRMC, such as automation, critical controls, continuous monitoring, development, security and operations, and training.

The department wants the construct to produce culture, mindset and processes that “reimagine cyber risk management.”

“The CSRMC represents a cultural shift in how the Department of War (DOW) approaches cybersecurity, emphasizing automation, continuous monitoring, and resilience,” the memo stated. “This framework aims to enhance the speed and effectiveness of cyber defense, ensuring that U.S. forces can respond to modern threats more effectively.” 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For Chris Usserman, global public sector chief technology officer for Infoblox, the policy was a welcome step, one that indicates the need to have cybersecurity and risk management not just in basic enterprise information technology but as part of operations.

“Primarily, I think it is really good, and it actually shows that with cyber, there is a greater understanding in the operational importance and the impact on mission systems,” said Usserman. “Years ago, during an operational component, cyber activities were either mission support or offensive activities, where they were off to the side, and then you had kinetic operations that were still at the forefront. And now we are actually bringing all of that together.” 

Usserman previously served in the Air Force, first in intelligence cyber operations and later developing offensive cyber weapons for several U.S. agencies. He emphasized that if continuous monitoring and risk assessments were down at the operational level, commanders would be able to see impacts and make decisions on cyber risks.

The implementation of CSRMC should also avoid repeating that checklist approach as much as possible, said Usserman, and Michael Smith, field chief technology officer of application security at DigiCert.

“We have seen multiple iterations and evolution of standards and processes over time, and the leadership always comes out to proclaim that this will be the end of checklist-driven processes, snapshot-in-time assessments,” said Smith, a former Army Russian translator and Signalier who, in industry, helped prepare cybersecurity measures for the 2018 and 2020 Olympic Games and other events. “Just by the nature of it, it is going to drive you into a more checklist-driven process, and controls-driven, and for each control, a test process producing artifacts to demonstrate that you have actually accomplished that item. That is kind of the nature of the beast.”

Smith applauded the inclusion of reciprocity as one of the tenets, saying that it was crucial in cutting down redundancy. 

“One of the other important tenets is reciprocity, especially when it comes to structures,” Smith stated. “We do not have to necessarily assess those systems that we just looked at. We do have to look at the dependencies that we have on these existing components and look at the residual risk for us.” 

In addition, Phase Two of the CSRMC policy should be revamped to place continuous monitoring more into Phase One, Usserman also suggested.

“In Phase two, they talk about feeding data information into continuous monitoring alignment,” he said. “And I look at it from the perspective of where we do acquisition development, because I have been on the R&D [research and development] side of the world for a while, and I would say that the continuous monitoring piece needs to shift all the way to the left, to the aspect of the planning systems themselves.”

The CSRMC needs to apply at the beginning of weapons systems and operational platform development, he stated, warning that the real problem, however, is applying the policy to legacy systems.

“From satellites to subs and everything in between, if you or your defense contractor is building a platform, such as a new airframe of sorts, this would apply to all of those new efforts,” Usserman said. “But how do we then take into account the legacy components that are there, the support systems that plug into, say, the Joint Strike Fighter or an unmanned aerial vehicle? How do we make sure that the systems that are supporting those operational platforms are secure themselves?”

Implementation of CSRMC to include legacy systems will “really come down to dollars,” Usserman observed, to make sure the requirements are extended to legacy systems that were previously certified under the RMF.
 

The Cyber Security Risk Management Construct policy outlines five phases, including design, build, test, onboard and operations. Credit: Office of Chief Information Officer
The Cyber Security Risk Management Construct policy outlines five phases, including design, build, test, onboard and operations. Credit: Office of Chief Information Officer

Moreover, implementation of CSRMC will come down to those designing systems or acquiring them, Usserman ventured. 

“I see this a lot in applying zero trust,” he said. “Zero trust is largely left up to the understanding of the architects and the program owners to implement. If you do not have any experience in how adversaries exploit systems, then you may not be able to best defend your network. And it is the same thing here.”

Officials need to be able to take into account the classified information related to how threat actors are actually exploiting networks to then implement appropriate controls, he stressed. 

“One of the things that we often find, from a standards perspective, is the segregation of IT [information technology] versus cybersecurity teams,” Usserman said. “The most functional groups are the ones that actually work together.” 
Proper implementation of CSRMC also needs to address the current reality of cloud-based assets, including multicloud and hybrid-cloud environments, with a real understanding of what is actually on one’s network. This is “paramount,” he stated. 

For Magdalena LoGrande, cybersecurity engineering fellow at Sigma Defense, the CSRMC is “going in the right direction,” but the policy will need strength and innovative consequences to ensure implementation.

“I think RMF was really moving in that direction before this,” she said. “So, is this just a cosmetic change? Is it just a name change? Because I think what was missing from RMF was the teeth and the leadership buy-in.”

To add “teeth” or strength to the policy, CSRMC has to be addressed from an acquisition perspective, which the department is doing to a limited extent, LoGrande noted. 

“I do see that oftentimes that the RFP language in contracts does not really address cybersecurity as an operational imperative,” LoGrande said. “That has to be identified from the get-go. Then, it is the culture, the educational piece of continuing to drive programs to see cybersecurity as an engineering discipline.” 

The National Institute of Standards and Technology and some military components were already moving toward continuous monitoring and other aspects of the CSRMC. The policy must, however, be comprehensively implemented, and again, at an engineering level. 

“I believe those tenets were already in place, but I do not think that they are fully assimilated, internalized and implemented by programs,” LoGrande noted. “And I think a lot of it is probably driven by the fact that cybersecurity is still relatively stove-piped. It is not considered an element of engineering that has to be taken into account, as cost, performance and schedule factors are.”

The implementation must also be a robust framework, with industry understanding the breadth of such a policy. “Many folks in our space still see cybersecurity as just an ATO [authority to operate], like, ‘We just want an ATO,’” she noted. “But you could argue that you could have a very secure system that provides mission assurance. Even if it does not have an ATO and vice versa, you could have an ATO system that is not secure. Well, this is a framework to assess residual risk. The end is that we want secure systems that provide mission assurance and that, at the end of the day, is a fighting function.” 

That kind of framework has to be embraced by program managers, those who write requests for proposals and contracts, chief engineers and testers, she emphasized.

“I think we are slowly changing, but it needs to be solidified from an enforcement perspective,” LoGrande stated. “Typically, you want to have carrots, or incentives. You do not want to have a stick. You want to have intrinsic incentives, healthy incentives, which, honestly, are difficult to do.”

Here, she suggested the department look at successful pilot programs that operationalized cybersecurity on an engineering level, and where a return on investment was measured and achieved.

“[Those] that followed the spirit of the CSRMC already and this is how they saved money, that is the language that programs understand,” LoGrande noted. “At the end of the day, they want to see a return on investment. When you are in the DOW, it is not business; it is mission, and everybody has to engage in trade-offs. But if there were shining examples that can prove that this is a way of doing it right, and this is actually going to save programs money, that could be useful.”

However the CSRMC is implemented, it must succeed, given the risks, Smith said.  

“Cyber attackers, they can adapt, and really their goal in life is to adapt faster than we can actually implement controls or preventative measures to keep them from doing the bad things that they do,” Smith advised.

The Cyber Security Risk Management Construct policy needs to have strength in its implementation, Magdelena LoGrande, cybersecurity engineering fellow at Sigma Defense. “I think what was missing from Risk Management Framework was the ‘teeth’ and the leadership buy-in,” she notes.
The Cyber Security Risk Management Construct policy needs to have strength in its implementation, Magdelena LoGrande, cybersecurity engineering fellow at Sigma Defense. “I think what was missing from Risk Management Framework was the ‘teeth’ and the leadership buy-in,” she notes.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content