COMMENTARY: Talk to anyone who has deployed technology that meets
the U.S. Department of Defense’s cybersecurity standards, and they’ll tell you the same thing: Compliance is a pain.
Why? It’s manual, takes too long and costs too much. Every deployment is different, requiring you to start from scratch each time. And above all, the whole process diverts too much of technologists’ time and attention toward
bureaucratic box-checking, when it could’ve been applied to problem solving and innovation.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
There’s no question — the certification and accreditation process needs to improve. As an engineer who muddled through Authorization to Operate (ATO) for IT infrastructure in the intelligence community, I’m just one of many who have shouted, “There has to be a better way.”
It seems Pentagon technology leaders finally heard us. After declaring that they will be “
blowing up” the Risk Management Framework (RMF), the Department of Defense recently released the
Cybersecurity Risk Management Construct (CRMC). The moment for change has finally arrived. A seven-phase process has been reduced to five. Embedded security, automation, and continuous compliance are now prioritized over static, periodic checks.
This change has been a long time coming, but it is far too soon to declare victory. A new Construct is a helpful roadmap. But if we are truly going to change the face of compliance and shift the paradigm toward responsive, full-lifecycle, real-time hardening, we must redouble efforts to make the implementation of the CRMC a success. As any technologist can tell you, a lot happens once we put a new product into the hands of users. Here are several steps that leaders and technologists across the DoD can take to make this transition a success:
Build on early successes
CRMC did not emerge from a vacuum. Against the backdrop of an increasingly dynamic threat landscape and rapidly advancing automation capabilities, some have already been taking action to create a more seamless compliance process.
For example, the Army
signalled it is embracing Continuous ATO (cATO) to move compliance from a manual, point-in-time process to an ongoing cycle that integrates with modern workflows, such as DevSecOps and Continuous Integration and Continuous Delivery (CI/CD).
A team at the U.S. Coast Guard went from measuring ATOs in months and years to days and weeks by embracing automation. And, the intelligence community devised “espresso ATO” to zero-in on the minimum number of controls necessary for authorization.
The CRMC presents an opportunity to build on these learnings, and apply a new framework to the entire DoD. Those who are new to the principles outlined in CRMC must continue to look for lessons from those who are already leading from the front.
Taking an innovator’s mindset
From the Pentagon CIO’s office to the experiments taking place inside these forces, the change that we are seeing now is happening because everyone involved is taking an innovator’s mindset to problem solving.
Pentagon leadership clearly stated a problem and direction, consulted with experts, and rapidly deployed within months. This cycle must continue. The release of CRMC should be the first step in a continuous cycle of feedback and improvement that is applied across the compliance ecosystem. We want software and IT systems to be modular and adaptive. Our workflows should be held to the same standard. Applying commercial approaches requires propagating reforms through people and processes, not just tools.
Learning from the past to build for the future
We need to take the lessons we learned in the past so we avoid making the same mistakes that led us to this moment.
By “blowing up” the RMF, DoD has laid the groundwork to spur a new wave of tools that enable technologists to move through compliance more quickly. To have success, we must understand not only how these tools can deliver for their teams, but how they enable engineering, security, GRC, and operations teams to work together to obtain compliance.
The new framework also must account for the complexity of national security. DoD technology is not only software; it encompasses IT infrastructure and complex hardware. Every deployment is different, and security must be integrated into each one, upfront and continuously.
While the challenge is big and multifaceted, there are many people who are ready to work on it, across the public and private sector. Pentagon leaders deserve a lot of credit for sending the right signals, taking an aggressive approach and setting long-talked-about reforms on the path to reality. But if we don’t continue to bring everyone to the table and iterate on solutions, we’ll be stuck in the same silos that have caused us to waste time and money, while conceding ground to adversaries.
We blew it up. Now that pent-up demand for modern compliance solutions is converting into action and implementation, it’s vital that we focus on building together.
