Successfully Integrating Risk Management Framework (RMF) with SevDevOps

Latest Compliance Recommendations Encourage Automation

Security Development Operations

As technology, security, information, and risk mitigation efforts rapidly evolve, information system security officers (ISSO) and information system security engineers (ISSE) must meet the challenge of identifying and integrating proven and reliable risk management framework (RMF) and controls in the early stages of development of any system engineering effort.  This means there must be a mutual understanding between ISSO’s, ISSE’s and SevDevOps teams as to how effective security controls will be automated, tested, integrated, and deployed into each project design process.

Current auditability and compliance recommendations call for RMF automation

National Institute of Science and Technology (NIST) RMF 800-37r2:

Organizations should maximize the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of executing the steps in the Risk Management Framework (RMF). Automation is particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches—together facilitating a real-time or near real-time risk-based decision-making process for senior leaders. Organizations have significant flexibility in deciding when, where, and how to use automation or automated support tools for their security and privacy programs. In some situations, automated assessments and monitoring of controls may not be possible or feasible.

Federal Information Security Management Act (FISMA) 2022:

FISMA data collection has long remained an overly manual process that often leads agencies to create complicated spreadsheets and internal processes to respond to questions. As the Federal information security apparatus matures, so should its reporting mechanisms. OMB is emphasizing automation and the use of machine-readable data to speed up reporting, reduce agency burden, and improve outcomes. This memorandum directs development of a strategy to enable agencies to report performance and incident data in an automated and machine-readable manner.

Questions to Consider

While automation has its advantages, integrating automated RMF framework sparks a handful of questions which must be considered, including:

  • How can ISSO’s and ISSE’s better work with DevOps teams to ensure the controls are identified at the start of a development or system engineering effort? 
  • How can System Owners automate the implementation and testing of controls and auditing of control artifacts to demonstrate effective security and reduction of risks in the system?  
  • How can audit teams maintain independence while also keeping up with the pace of deployments and changes to production systems.
  • How do chief information security officers (CISO’s) and authorization officials maintain awareness of residual risks across the enterprise, as well as within individual systems so they can authorize systems based on reliable, recent, and relevant data?

The good news is that agencies do not need to answer these questions themselves. The consultants at SkyePointe Decisions partner with clients to address these questions and other concerns, then develop a customized plan for integrating RMF with SevDevOps teams. It begins by recognizing common challenges and identifying agency specific concerns. Some of the obstacles that are tackled first include:

  1. Integrating the security testing and verification of control selection and effectiveness for reducing risks in the automation of assessments.
  2. Outlining an approach to involve ISSO/ISSE’s earlier in the SecDevOps process
  3. Developing a procedure to maintain independence of the RMF testing team.
  4. Determining protocols which allow the security assurance team to keep pace with CI/CD pipelines.

Far Reaching Benefits

While some ISSO’s and ISSE’s may be apprehensive about the involvement of SevDevOps teams, it’s important to note that a successful partnership between ISSO’s, ISSE’s and SevDevOps teams is a solid and proven approach. The advantages not only extend throughout the agency, but are far reaching, benefiting customers and constituents as well.

According to the DoD Enterprise DevSecOps Reference Design unclassified public release manual:

“…the main characteristic of DevSecOps (a.k.a.SevDevOps) is to improve customer outcomes and mission value by automating, monitoring, and applying security at all phases of the software lifecycle: plan, develop, build, test, release, deliver, deploy, operate, and monitor. Practicing DevSecOps provides demonstrable quality and security improvements over the traditional software lifecycle, which can be measured with these metrics:

  • Mean-time to production: the average time it takes from when new software features are required until they are running in production.
  • Average lead-time: how long it takes for a new requirement to be delivered and deployed.
  • Deployment speed: how fast a new version of the application can be deployed into the production environment.
  • Deployment frequency: how often a new release can be deployed into the production environment.
  • Production failure rate: how often software fails during production.
  • Mean-time to recovery: how long it takes applications in the production stage to recover from failure.

In addition, DevSecOps practice enables:

  • Fully automated risk characterization, monitoring, and mitigation across the application lifecycle.
  • Software updates and patching at a pace that allows the addressing of security vulnerabilities and code weaknesses.

SkyePoint Decisions’ Proven Approach

The consultants at SkyePointe Decisions have the expertise and experience to assist agencies with integrating RMF with SevDevOps teams and maximizing their involvement to promote optimal outcomes. While we develop a customized plan for each client, our unique approach includes:

  1. Successfully integrating ISSO/ISSE in sprint planning phases of SevDevOps teams.
  2. Promote active involvement of ISSE’s through the creation of “User Stories” to be included in SevDevOps sprints; develop “User Stories” that are customized specifically for your agency that align with your risk tolerance for HVA, High, Medium, and Low system levels.
  3. Provide SecDevOps teams standard tool sets to implement and audit security controls:
  • Automation for STIG compliance
  • Automation for security testing
  • Integrate automated vulnerability scanning into the Dev pipeline
  • Integrate automated tools with the agency GRC platform
  • Automated creation of assessment reports
  • Structure the ISSO and independent risk assessment teams in a manner which maximizes existing capabilities and leverages tiered skilled resources to reduce overall cost.
  • Structure risk assessments based on an Agile Scrum and/or Kanban pull approach to sync with SecDevOps teams’ ceremonies, thus enabling smoother integration and testing.

Since current compliance and auditing practices call for a move toward RMF automation, all agencies will eventually need SevDevOps teams to integrate RMF framework. SkyePoint Decisions recently received a Task Order award from the Department of Education (DoED), Office of Federal Student Aid (FSA) to perform Cybersecurity Risk Management and Compliance. SkyePoint was largely selected due to our ability to enhance and automate the Authority-to-Operate (ATO) and Risk Management Framework (RMF) processes for FSA.

Are you considering how your agency might integrate your RMF frameworks with SevDevOps teams?  If so, contact SkyePoint Decisions to learn more about how we can help you make a smooth transition.