Risk Management Framework Design Sprint
"How might the Air Force accelerate the implementation of the Risk Management Framework (RMF) to a velocity more compatible with warfighter needs and modern DevOps methods for federal information systems including IT, OT, and Platform IT?"
To meet the changing demands of cybersecurity, the Air Force needs a formal policy procedure that is fluid enough to flow with changes in the cybersecurity landscape, but firm enough to clearly point AF personnel towards its essential nature.
This design sprint boasted nearly 40 participants from a diverse group of military units, professions, and 12 different industries.
Its inception began in January 2018, at Scott AFB. From an initial conversation, 6 use cases were developed to illustrate a range of realistic Risk Management situations. Design sprint teams were formed around the use cases and each team focused on re-designing a risk management approach tailored to their use case.
Solutions were narrowed down to two themes:
- Automatic Testing: Create a trusted build environment with an automatic AI-driven process for cybersecurity certification. This tool will automatically certify software as code is being written to allow for rapid granting of approvals to operate.
- Process Simplification: Develop a new RMF process that improves risk management for decision-makers, transparency for stakeholders and users, and trust for all users.
- Risk Management can be improved by shifting from controls engineering to security capability engineering, establishing a collaborative cyber threat database that includes intel in the risk analysis and operational mission owners in the process.
- Transparency can be improved by fielding a business process automation tool that tracks the RMF process.
- Trust can be improved by carrying out the former two solutions and by enforcing accountability, thereby allowing for larger degrees of delegation.