Keep Watch for Project Sentinel
Melior Quam Prius. With those Latin words for “better than before,” recently retired Army Cybersecurity Integration and Synchronization Director Nancy Kreidler had a vision to unite multiple U.S. Army organizations. The mission: to adapt the Army’s Unified Network Plan’s Risk Management Framework (RMF) process and streamline its threat-informed risk decision process, creating the first phase of RMF 2.0, commonly referred to as Project Sentinel, Army leaders shared.
The current state of Army’s RMF consists of six steps: categorize system; select security controls; implement security controls; authorize system; and monitor security control. Steps one through five are one-time tasks, which makes step six the only ongoing task and the one requiring the urgent need for prioritization as the Army reforms its risk management, officials say.
As with any operational change, the Army must start by going back to its foundations—National Institute of Standards and Technology (NIST) Special Publications 800-37 and 800-53 are the two publications from which the Army derives all operational requirements. “When the Army implemented the Risk Management Framework, the abundance of security control requirements took us by surprise,” Risk Management Division Chief Leslie (Les) South said Wednesday during the first of four SIGNAL Media webinars airing in advance of AFCEA International’s TechNet Augusta event in August. ”The abundance of security controls that were introduced in the [RMF], by an order of magnitude, increased the requirements nobody imagined and nobody was prepared for.”
“We don’t need 100 controls to all tell us the same thing,” said Ali Mohammed, senior adviser in the Cybersecurity Integration and Synchronization (CIS) Directorate, a co-presenter during the webinar. To which South brought up the most important question for RMF 2.0: “What are the controls that will allow [the U.S. Army] to ‘defend and react’?” This calls for constant monitoring of the current cybersecurity posture, therefore shifting away from the routine culture of compliance.
The methodology behind Project Sentinel is to “look at every single control and assessment procedure … to get a culmination of the secure environment and holistically address an area of concern,” South stated. As an example, South referred to CIS Controls a set of actions developed by a group of information technology (IT) experts who are “in the trenches day-by-day" and can see the exact ever-changing threat landscape.Informed by actual attacks in an operational environment, the experts created a set of incident response controls and priorities. Inventory must, of course, remain priority. “I have to know what is in my environment before I can even begin to secure what is in my environment,” South stated. But what does change with Project Sentinel is the shift in prioritization.
“If an organization can successfully test their incident response plan, soup-to-nuts, beginning-to-end, covering all types of incidents from various challenges, is there one control that will tell us that we’ve covered everything else?” South asked. Upon looking at every single missed security control within the control catalog, and mapping out the most critical areas to identify, Project Sentinel discovers the one or two controls requiring the most attention that could act as the final exam for a safer and more secure environment. “If an incident response test can be conducted successfully, then guess what, I’ve probably got a pretty good incident response program.”
Mohammed listed the three phases of RMF 2.0:
Phase 1: Prioritize RMF Controls
Publish the Project Sentinel Enterprise Mission Assurance Support Service (eMASS) Record
Train the Army community
Publish tactics, techniques and procedures (TTPs)
Phase 2: Reform Risk Acceptance
Create the Army Cyber Risk Management Council (ACRMC)
Align with the Army Cyber Command Home (ARCYBER) Cyber Risk Assessment Management Program (CyRAMP)
Phase 3: Continuous Monitoring
Synchronize cybersecurity activities
Define Authorizing Official (AO) Annual Review and the Federal Information Security Modernization Act (FISMA)
Define Continuous Monitoring Transition
Security control inheritance is at the core of the foundation of Project Sentinel, along with common controls and common control providers. “If we can identify any security objective as a common control and put it in a common control provider and use security control inheritance across the enterprise, the return on investment across the Army is phenomenal,” Smith added. Just like a sentinel stands to keep watch, the culmination of RMF 2.0 is how the Army enters into continuous monitoring, thereupon becoming better than before.
Click here to watch SIGNAL Media’s full on-demand webinar Game Changer: Operationalizing Cybersecurity. This webinar is a precursor to AFCEA’s TechNet Augusta event, taking place August 15-18 in Augusta, Georgia. Be sure to register today.