By Nancy Kreidler, Cybersecurity and Information Assurance Director, Army Chief Information Office/G-6December 12, 2019
The Army is launching Project Sentinel to adapt the current Risk Management Framework (RMF) process into a streamlined threat-informed risk decision process.
The Army adopted the Risk Management Framework in 2015. Since then, as has been the case in other Services, the process has been wrought with challenges including training, time to execute, number of controls, and resourcing. Focus on the process has been more compliance-based with little consideration to current threat information. During the past two years, the Army has made considerable progress in streamlining the RMF process to address Army priorities, and activated Army Futures Command with specific processes for testing tactical systems. In addition, the Army created a process in which rapid capability can be assessed quickly to address high-priority operational needs statements from the field. Now with lessons learned and experience using RMF over the past four years, the Army stands postured to pivot from compliance to a threat-informed risk management process.
Sentinel introduces the prioritization of cybersecurity controls based on current validated threats from authoritative sources, such as Critical Security Controls for Effective Cyber Defense published by the Center of Internet Security (formerly SANs Top 20). The publication identifies controls that address the vast majority of the most common attacks.
The project will also review Army Cyber Command (ARCYBER) threat trends as well as military intelligence from National Ground Intelligence Center and its Intelligence Community partners. The RMF control set can now be tailored to ensure these identified threats are addressed. By focusing on the "right" controls versus "all" the controls, the process becomes less cumbersome and less resource intensive, yet more focused on true cybersecurity risk management.
In addition to focusing on a threat-based risk framework, Sentinel will look to institute a risk threshold. While there is risk that the Army is able to assume or mitigate, there also is risk that needs to be addressed before authorization can be granted. Examples of risk above the threshold are the encryption of personally identifiable information, or monitoring on public facing websites. Examples of risk that the Army can assume or mitigate are vulnerabilities found on a closed or restricted network, or findings that are awaiting completion of documentation. With the adoption of a risk threshold, decisions for where to spend resources become apparent, necessary, and more precise. The cost to fix a cybersecurity finding above the threshold can be prioritized against other findings during an RMF assessment. In addition, the threshold can change with emerging threat information.
The project team will start defining and reviewing the threat resources and mapping validated threats to the RMF controls in Phase 1. Several pilots will be conducted over the next several months to inform the level of assurance we gain from identifying the right controls, making the right assessments, and reviewing the process as a whole. Phase I capability to be available in April-May 2020 timeframe.
Ultimately, cybersecurity is a team sport and this effort bears that axiom out. We have a group of outstanding, dedicated cybersecurity professionals from all over the Army coming together in support of this effort. The Sentinel team is comprised of representatives from the following organizations including: Army Forces Command; the Army Deputy Chief of Staff G-2; the Army National Guard; ARCYBER; Army Materiel Command; Army Test and Evaluation Command; Army Corps of Engineers; Army Reserve Command; Army Network Enterprise Technology Command; Program Executive Office Command, Control Communications-Tactical; and the Army Software Engineering Center.
I look forward to working as a team on this Army-wide effort to make meaningful change in how we execute cybersecurity.