Navy
CAPT Damen Hofheinz
Acting Cybersecurity Division Director
Mr. Dwight Taylor Branch Head & RMF Lead
Mr. Alex Stone
RMF Contractor Lead, Working Group Moderator & Portal Manager
Mr. David Patton
RMF Contractor Support and
Cybersecurity Scorecard SME
1
Transition Status: Navy systems have been granted RMF ATOs and continue to aggressively
migrate from DIACAP.
Policy Update: RMF Process Guide – 13 Dec 16 • A user guide to executing the RMF process lifecycle • This does not replace the eMASS User Guide • Living document – will be updated approximately quarterly
RMF Efficiency Memo – 27 Jan 17 • Defines requisite artifacts necessary for achieving a new RMF ATO • Goal is to not slip back into DIACAP
RMF Implementation Strategy (“RMF Lite”) Memo – 1 Feb 17 • Provides a way to transition from an existing DIACAP I/ATO to RMF • Establishes conditions for the transition to RMF
USN RMF Knowledge Management Portal • Live now on the SECNAV SharePoint Portal • Contains policy, RMF templates, and a collaboration board
OPNAV Instruction 5239.1D – US Navy Cybersecurity Program • In final stages of review for release • Will establish overarching policy and taxonomies for USN cybersecurity
https://portal.secnav.navy.mil/orgs/OPNAV/N2N6/DDCION/N2N6BC4/RMF/
Strategic Vision: Execute Information Security Continuous Monitoring by leveraging continuous authorizations
2
Metrics/Analytics
Data-driven analytics illustrating key Navy technology trends
• USE CASE: The SECDEF’s cybersecurity scorecard forces metrics out of self-reported assertions that do not reflect reality nor indicate actual risk • Execute a strategic, bottom-up approach to collecting data and presenting key insights to leadership to depict the real issues impacting the Fleet
Workflow Integration
Automation of repeatable processes across common partner entities
• USE CASE: DDCIO(N) staff routinely participates in a cyber risk advisory group in conjunction with the Navy Authorizing Official (NAO) and DoN CIO. Complex procedures are executed via email and paper – deadlines slip and working relationships become politicized • Launch a joint KM portal between collaborative stakeholders aimed at developing workflows to streamline repeatable processes and automatically archive data so it is centralized and accessible to appropriate stakeholders
Executive On-The-Go Access
Empower our senior leaders to execute their missions from anywhere
• USE CASE: Many procedural waiver requests, interim authorizations to operate (IATO), and alternate logon token (ALT) requests are urgent by nature and emanate from top levels of leadership up to COCOMS and even SECNAV – our signature authorities are often hampered by physical proximity • Enable mobile access and digital signatures on policy documents so our executives can not only access, but act upon critical mission activities
Transformative Collaboration
Adoption of a robust, adaptive KM platform will transform the Fleet’s mission readiness and efficiency
• Communication is more than just drafting, signing, and disseminating policies and directives – it is the sharing of ideas, fostering of creativity and innovation across all echelons, and empowering our front line with the full breadth of situational awareness and preparedness invoked by the Department of Defense.
3
Current Focus Includes Echelon 2 RMF Leadership & Meets Bi-Weekly
•RMF Lite •Tier II Control Inheritance •Consistent & Correct Definitions – CNSSI 4009 •Reciprocity •Improving Implementation Efficiency •Improving Collaboration and Feedback Collection Across the Fleet
NEDCs currently only executing RMF
-DISA eMASS team will meet with AOs and SCAs to improve eMASS process flow for USN -FCC/NAO is eMASS CCB Navy Rep • Provide any input to your Echelon 2 command
SPAWAR is addressing Navy Qualified Validator (NQV) training
4
GUIDANCE: The RMF Implementation Strategy (“RMF Lite”) establishes a waiver process for continuing with DIACAP (18 month max. accreditation) & a process for bridging to an RMF authorization
WAIVER: Systems that have an active Certification and Accreditation (C&A) package that have completed DIACAP Activity 3 collaboration, and are pending eVote and a Certification Determination, will be authorized to continue working the DIACAP package via the waiver process
RMF ATO Bridge: The memo provides a path for “RMF Lite.” This establishes a way to lessen the requirements to achieve an RMF ATO if you already have a DIACAP ATO. The goal is to incentivize and facilitate the transition.
5
6
Acting Cybersecurity Division Director
Mr. Dwight Taylor Branch Head & RMF Lead
Mr. Alex Stone
RMF Contractor Lead, Working Group Moderator & Portal Manager
Mr. David Patton
RMF Contractor Support and
Cybersecurity Scorecard SME
1
Transition Status: Navy systems have been granted RMF ATOs and continue to aggressively
migrate from DIACAP.
Policy Update: RMF Process Guide – 13 Dec 16 • A user guide to executing the RMF process lifecycle • This does not replace the eMASS User Guide • Living document – will be updated approximately quarterly
RMF Efficiency Memo – 27 Jan 17 • Defines requisite artifacts necessary for achieving a new RMF ATO • Goal is to not slip back into DIACAP
RMF Implementation Strategy (“RMF Lite”) Memo – 1 Feb 17 • Provides a way to transition from an existing DIACAP I/ATO to RMF • Establishes conditions for the transition to RMF
USN RMF Knowledge Management Portal • Live now on the SECNAV SharePoint Portal • Contains policy, RMF templates, and a collaboration board
OPNAV Instruction 5239.1D – US Navy Cybersecurity Program • In final stages of review for release • Will establish overarching policy and taxonomies for USN cybersecurity
https://portal.secnav.navy.mil/orgs/OPNAV/N2N6/DDCION/N2N6BC4/RMF/
Strategic Vision: Execute Information Security Continuous Monitoring by leveraging continuous authorizations
2
Metrics/Analytics
Data-driven analytics illustrating key Navy technology trends
• USE CASE: The SECDEF’s cybersecurity scorecard forces metrics out of self-reported assertions that do not reflect reality nor indicate actual risk • Execute a strategic, bottom-up approach to collecting data and presenting key insights to leadership to depict the real issues impacting the Fleet
Workflow Integration
Automation of repeatable processes across common partner entities
• USE CASE: DDCIO(N) staff routinely participates in a cyber risk advisory group in conjunction with the Navy Authorizing Official (NAO) and DoN CIO. Complex procedures are executed via email and paper – deadlines slip and working relationships become politicized • Launch a joint KM portal between collaborative stakeholders aimed at developing workflows to streamline repeatable processes and automatically archive data so it is centralized and accessible to appropriate stakeholders
Executive On-The-Go Access
Empower our senior leaders to execute their missions from anywhere
• USE CASE: Many procedural waiver requests, interim authorizations to operate (IATO), and alternate logon token (ALT) requests are urgent by nature and emanate from top levels of leadership up to COCOMS and even SECNAV – our signature authorities are often hampered by physical proximity • Enable mobile access and digital signatures on policy documents so our executives can not only access, but act upon critical mission activities
Transformative Collaboration
Adoption of a robust, adaptive KM platform will transform the Fleet’s mission readiness and efficiency
• Communication is more than just drafting, signing, and disseminating policies and directives – it is the sharing of ideas, fostering of creativity and innovation across all echelons, and empowering our front line with the full breadth of situational awareness and preparedness invoked by the Department of Defense.
3
Current Focus Includes Echelon 2 RMF Leadership & Meets Bi-Weekly
•RMF Lite •Tier II Control Inheritance •Consistent & Correct Definitions – CNSSI 4009 •Reciprocity •Improving Implementation Efficiency •Improving Collaboration and Feedback Collection Across the Fleet
NEDCs currently only executing RMF
-DISA eMASS team will meet with AOs and SCAs to improve eMASS process flow for USN -FCC/NAO is eMASS CCB Navy Rep • Provide any input to your Echelon 2 command
SPAWAR is addressing Navy Qualified Validator (NQV) training
4
GUIDANCE: The RMF Implementation Strategy (“RMF Lite”) establishes a waiver process for continuing with DIACAP (18 month max. accreditation) & a process for bridging to an RMF authorization
WAIVER: Systems that have an active Certification and Accreditation (C&A) package that have completed DIACAP Activity 3 collaboration, and are pending eVote and a Certification Determination, will be authorized to continue working the DIACAP package via the waiver process
RMF ATO Bridge: The memo provides a path for “RMF Lite.” This establishes a way to lessen the requirements to achieve an RMF ATO if you already have a DIACAP ATO. The goal is to incentivize and facilitate the transition.
5
6
