|RMF and CSF||Accelerating ATO||Common Themes||Organizational Messaging||Presentations|
Risk management, IT modernization, and streamlined acquisition among the consistent themes at this year’s conference.
The Security Solutions conference resumed in 2018 after a six-year hiatus. Attendees from a broad spectrum of the military, the intelligence community, and federal civilian agencies came together for the two-day event to gather ideas and insights that will help them assure mission success.
The conference was marked by a series of keynote addresses that complemented one another in their emphasis on risk management, cybersecurity, and IT modernization through the cloud and other technologies.
Leading off the conference was Teresa Carlson, vice president, worldwide public sector, Amazon Web Services. She shared her company’s history of providing cloud services that satisfy the requirements of the most security-sensitive organizations.
She also explained that AWS and Telos have partnered on Xacta security and compliance solutions that have slashed the time and effort needed to comply with some of the government’s most stringent guidelines for security and risk management.
Edward A. Brindley, the DoD’s acting deputy CIO for cybersecurity, continued the risk-oriented theme with his insights on DoD cyber resiliency. Because all threats aren’t equal, he stressed the need for keeping “first things first.” That means senior DoD leadership will need to accept more risk — because “if we recognize where we are going to focus resources, we know where we aren’t going to focus them.”
To help them do that, a common framework for understanding and managing risk is needed, which commanders, cyber operatives, and IT folks can all share. Brindley cited the nascent alignment of the NIST Cybersecurity Framework with the NIST Risk Management Framework as a step toward creating a common, organization-wide environment for cyber risk management across multi-disciplinary teams.
Bringing Insights from the Field
As the CENTCOM J-6, MG Mitchell L. Kilgo added his experiences from the field. He emphasized the need for operational readiness of the network — not an easy thing to maintain with so many coalition forces working together in such a volatile Area of Responsibility (AOR). He needs to ensure that multiple allies are prepared with the information they need to “fight tonight” at every moment.
One of his themes was the need to mitigate risk in such a dynamic and complex environment, in his AOR and in his networks. He observed that, as the authorizing official, the risk isn’t his, it’s the commander’s. Thus commanders need to receive reports on operational and cyber readiness that provide options for decision-making, including any risk and what is being done to mitigate that risk.
Ms. Wanda Jones-Heath, deputy CISO, U.S. Air Force, gave attendees a detailed look at today’s perimeter. It isn’t the traditional perimeter any longer; it’s everything from the end-user to the cloud. That means empowering senior leaders to manage risk so that they aren’t impeding the mission but instead have the confidence to ensure warfighters have the capabilities they need.
Maj Gen Sarah Zabel gave an engaging talk from her perspective as co-leader of the DoD team that deployed the NIST RMF to replace DIACAP — “a big effort with lots of enthusiasm.” Part of that undertaking was leveraging modern capabilities to support risk management, including the use of tools like Xacta, ARAD (the Air Force’s Automated Remediation and Asset Discovery), and others.
She also praised the release of NIST RMF Rev 2 for its emphasis on the need for threat information, awareness across interconnected systems (including the supply chain), audits that help being prepared for readiness inspections, and tools and processes for supporting risk management. Turning to her current role in the IT acquisition process, Maj Gen Zabel also stressed agile development for meeting today’s cyber threats and ensuring that security is built in from the beginning.
Revisions to the RMF and CSF will help strengthen cybersecurity postures, empower risk-informed decisions.
NIST is in the process of unveiling revisions to both its Risk Management Framework (RMF) and Cybersecurity Framework (CSF). Thus we were privileged to have two of the leading voices for cyber risk management appear at the 2018 Security Solutions conference to shed light on these revisions and how these two frameworks will work more closely to protect and assure the security posture of federal agencies.
Dr. Ron Ross has been the leader of the multidisciplinary joint task force behind the NIST RMF since the first version was published in 2010. He gave a presentation on the NIST RMF Rev 2, which is in the final stages of preparation.
Dr. Ross opened with an overview of the dangerous and worsening conditions in cyberspace and the difficulties involved in assuring security and managing risk: “Senior leaders are enthralled with the latest technologies, yet we still don’t know how deep our adversaries have embedded malicious code in our systems. Our appetite for advanced technology is rapidly exceeding our ability to protect it.”
Given that enterprises can’t protect everything, the answer is to judiciously manage risk, with special focus on critical systems and assets. The updated RMF will help achieve that, particularly with its focus on privacy risk management, developing secure software and systems, and the integration of supply chain risk management (SCRM) concepts.
The result is a unified framework for managing security, privacy, and supply chain risks, which also includes mappings to the NIST Cybersecurity Framework’s categories, subcategories, and constructs. A new “Prepare” step in the framework also ensures that organizations are ready to execute the RMF from the enterprise perspective.
Mr. Matt Barrett, program manager for the NIST Cybersecurity Framework, gave an overview of the CSF and then covered its recent revisions and its application in the federal space.
Originally issued in 2014 for voluntary use in critical industries, the CSF is now mandatory for use by federal agencies since Executive Order 13800 was issued in May 2017. At the same time, NIST issued its NIST Interagency Report 8170 – The Cybersecurity Framework, Implementation Guidance for Federal Agencies — to show agencies how to apply the CSF in their environments.
Mr. Barrett provided a guided tour of each of the eight cases in NISTIR 8170, how they plot to the CSF components and the three levels of NIST 800-39, and how they support the NIST RMF.
He also highlighted the new facets of the CSF, including its alignment with federal guidance on supply chain risk management (SCRM) in the “Identify” function and identity management, authentication, and access control in the “Protect” core function.
The two NIST frameworks have been running on a parallel track for the past four years. With their new functionality, they will complement each other as federal agencies use the frameworks in concert to strengthen their cybersecurity postures and enhance their ability to make risk-informed decisions.
It was hard to duck into any session during Security Solutions 2018 without hearing the phrase “ATO in a day.” While that goal is still in progress, several speakers highlighted how Xacta 360 is supporting their ability to streamline and radically accelerate the assessment and authorization process:
- Brett Miller with Amazon Web Services and Brian Price with Stratus Solutions joined Telos’ own Stephen Horvath to present on how Xacta and AWS empower the “Governance@Scale” pattern that enables organizations to overcome obstacles to cloud security and compliance and to move faster and with increased confidence to AWS.
- John Nicely presented on how Xacta 360 has simplified and streamlined the A&A for workloads in the C2S cloud. Many of the key tasks in achieving ATO have gone from weeks and days to hours or minutes, accelerating time to operational approval. In concert with Xacta Continuum, his agency is also meeting its continuous monitoring requirements on a daily basis.
- Monica Montgomery explained the role Xacta plays in her agency’s agile, risk-adaptive approach to maintaining an acceptable cybersecurity posture across the NIST Risk Management Framework. ATOs can be achieved in a third of the time, with “ATO in a week” in limited situations and “ATO in a day” for temporary approval for critical requirements.
- Joe Long gave a presentation on how the NIST RMF can be “an achievable, verifiable, and repeatable process” by leveraging policy, tools, training, and continuous monitoring. Xacta helps his agency automate, track, and report on key steps in the RMF process.
Attendees at this year’s Security Solutions conference were fortunate to have a selection of sessions and panels on the warfighter perspective on communications. These presentations reflected many of the themes from the keynote addresses and other breakout sessions, including the complexity of the daily operational environment, the challenges of coordinating with coalition forces across AORs, and the need for simple, light, and flexible technology solutions.
Future of Tactical Communications
Moderator: Col Stephen P. Corcoran, USMC (Ret), Director of Cyber Strategy, Telos Corporation
Panelists: Col Curtis Carlin, USMC CENTCOM J6 Operations; COL Wade Johnston, Joint Enabling Capabilities Command, Joint Communications Support Element, United States Army
In this session, two communications leaders gave their insights into where we are now, and where we’re headed with tactical comms. Coming at the topic from a regional mission perspective, Col Carlin spoke about the complexity of the daily operational environment and emphasized the importance of cybersecurity frameworks and shoring up cyber defenses.
COL Johnston confirmed these same concepts from a global mission perspective. In particular, he focused on the need for tactical comms that are smaller, lighter, and faster to support quick deployment. He also said that he needs the business case as well as the operational case when considering new technologies.
Air Force Senior Warfighter Cybersecurity Perspectives
Moderator: Brig Gen (sel) Rob Lyman, JSOC/J6
Panelists: Col Andrew ‘Batman’ D’ippolito, 435th Commander, Air Communications Group (USAFE), Col Jeremy ‘JB’ Boenisch, Commander, 5th Combat Communications Group, and Col Glenn ‘Obi’ Genove, PACAF/A6.
Representing three different warfighting elements of the USAF, this panel focused on how the USAF is organized, trained and equipped to deploy and fight at the tactical edge of the battlespace, and how the USAF/DoD operate globally but face unique challenges in different theaters of operation.
Col D’ippolito observed that his forces need to be able to interoperate with other services and under varying conditions on three continents. Challenges include integrating cyber and communications capabilities with coalition partners among 20+ nations, often “on the fly” in ongoing missions. For those reasons, USAF and DoD need technology that’s open, interoperable, and simple to operate and maintain.
Col Boenisch emphasized that the culture among deployers and warfighters is a critical component in combat readiness — melding traditional mindsets with millennial perspectives to achieve an optimum blend of individual capacity and initiative. While technology is a force enabler, it’s the creativity, adaptability, and flexibility of the service men and women that deliver an edge in the fight.
Col Genove discussed the unique challenges of operating in a theater that comprises 60 percent of the world’s surface but with very little land mass. He highlighted the need to field forces and capabilities that maximize flexibility from pole to pole, integrating operations with Pacific Rim allies of varying cultural perspectives and military capabilities while confronting a range of adversaries.
SOF Innovation Challenges
Brig Gen (sel) Rob Lyman, Director of Communications (J6), Joint Special Operations Command
Joint Special Operations Command supports all Combatant Commands worldwide with special operations forces and capabilities. In the context of that vital mission, Col Lyman gave a comprehensive presentation of JSOC’s strategies for acquiring technologies that ensure the most capable warfighters on earth deploy with the most effective capabilities for combat effects.
Cybersecurity in the Global Nuclear Enterprise
Col Scott E. Solomon, Deputy Director of Operations and Communications, AF Global Strike Command (AFGSC/A3-6) and command CIO
Col Solomon opened with a video about the unique mission and physical environment of the USAF nuclear force. He said that the nuclear enterprise is primarily architected to depend on physically separate and protected C4ISR infrastructure for cyber/comms security. But where they rely upon the AFNET, GIG, and other forms of connectivity, their most important mission is securing the net, their systems and their applications.
AHMS plays a key role in the world’s mission-critical communications.
The Telos Automated Message Handling System (AHMS) has always been one of the signature solutions featured during the Security Solutions conference. It is the only web-based solution for assured messaging and directory services, providing access to the full spectrum of organizational messaging systems and protocols.
This year’s AMHS sessions kicked off with a presentation by Jeff Bentley, the PM for DISA’s Organizational Messaging Service (OMS), in which he covered the current capabilities of organizational messaging as well as enhancements that will be coming to OMS over the next year or so.
Currently the OMS provides a range of secure messaging services to a worldwide community of U.S. military, government, and allied customers operating in both strategic and tactical environments. Information exchange at this level often requires the authority of an organization rather than an individual. Such messages impose operational requirements for timely delivery, precedence, high availability, and reliability.
In addition to an overview of OMS’s current capabilities, Mr. Bentley covered the progress made to improve existing OMS services and to enhance its technical performance going forward. These improvements will support modern data transports and directories, enhanced interoperability, and secure cross-domain capabilities for communications among coalition partners.
Other sessions in this track included a presentation from the U.S. Marine Corps on how the Corps runs AMHS using a hyper-converged infrastructure and sessions for training and troubleshooting. The future is bright for the premier messaging solution used by the world’s most security-conscious organizations.