In a blog post last year, I mentioned the addition of the Prepare step to the newly released Revision 2 of the NIST SP 800-37 Risk Management Framework, a.k.a. RMF 2.0. The Prepare step, which aligns with the core of the NIST Cybersecurity Framework (CSF), expands the conversation from system-focused vulnerability management into organizational risk management.
When RMF 2.0 was released, the Prepare step was sometimes referred to as “Step 0” — a new beginning step added to the original six-step RMF. Anyone who has attempted to achieve a federal Authorization to Operate (ATO) can appreciate the irony of the name “Step 0.” It is not uncommon to spend years in the assessment and authorization (A&A) process. With no ATO to show at the end of this investment, it is no wonder that some system owners feel they are living in Step 0.
Fortunately, by identifying distinct tasks for preparing your organization and separate tasks for preparing your systems, RMF 2.0 emphasizes the need to go beyond the IT Department (or “the 6” as it’s known in the armed forces). From a requirements perspective, this is not a groundbreaking idea. However, this is a major conceptual shift for federal compliance teams, who will now need to think past “the boundary.”
In my experience, the teams supporting the A&A process prefer to engage at the lowest levels and often do not consider the organizational dependency involved in genuine enterprise risk management. By hyper-focusing on that box with dashed lines around the perimeter (the boundary), and avoiding the organizational context, are we really making risk-based decisions? Of course not. In their defense, it is nearly impossible to keep undocumented organizational risks from being confusing, especially without traceability to how specific systems may effect that organizational risk. Additionally, organizational risk was supposed to be made visible and managed by the risk executive (function), which is rarely utilized in the U.S. federal government.
Changing the narrow focus into something much larger and meaningful will take time. Advocating for organizational awareness and buy-in will certainly add to the overflowing number of tasks CIOs and CISO are balancing. Fortunately, the NIST CSF helps to achieve this objective.
The NIST CSF: Taking You to Mature Organizational Risk Management.
Despite being around for over seven years and its mandated adoption by federal agencies under Executive Order 13800, there appears to be a general lack of understanding and awareness of CSF within federal security teams. When I inquire about an organization’s progress with the CSF, I’m often met with a response that ranges anywhere from uncertainty to exasperation.
Unfortunately, instead of looking at the CSF as a tool, many quickly dismissed the publication as another unfunded requirement. For those who have left it on the shelf, I would encourage you to pick it up again and look at it in a different light. The CSF is a valuable tool that can assist you in identifying an “as is” and “to be” state for your cybersecurity program through its defined Tiers. The CSF can also assist in facilitating a transparent dialogue, using a common language, to manage risk across the enterprise.
By extending the risk management discussion from the server room into the boardroom, compliance teams will also win. Individuals responsible for the implementation of controls families such as acquisition, facilities, personnel, etc., will feed first-hand information into the process. Mission priorities and impacts will be more accurate, providing the context needed to determine if something is or isn’t an acceptable risk.
Why all this talk about CSF in an RMF blog post? My concern is that despite the effort of organizations to implement the CSF, system owners will maintain the score of “ATO 0, Compliance 10,000” – they’ll continue to meet a multitude of checkbox requirements for compliance rather than achieving true organizational risk management.
In reality, the point of the entire process has always been to identify the risks to the system, mission, and organization. We’ve traditionally done a good job identifying the risks to the systems; while low level, they’re the easiest to identify and track. It’s time to grow/mature/evolve and start asking the hard questions about organizational and mission risks in a real way and be able to trace them back to individual systems or capabilities.
True risk awareness is important in making go/no-go decisions on fielding capabilities for all agencies and organizations. We may never get all the information we need to make a fully informed decision, but we should have as much as we possibly can, to include how these systems affect the larger whole.
Expanding the aperture in compliance to account for the organizational threats, risks, impacts and mitigation is key to this evolution. Standards are important; however, compliance does not need to be one size fits all. Acknowledging the CSF Tiers and interpreting the system-level risk will facilitate contextual discussion about reasonable security expectations.
Getting to the core of the Cybersecurity Framework is the answer to maturing the RMF from manufactured compliance to organizational risk management. If your commands and compliance teams are not talking about CSF, start asking questions. CSF is key to success not only with the RMF but also with overall mission assurance.