Speed to Capability versus Accreditation

Steve Kurak, Senior Security Engineer, G2 Ops

The current method of assessing Cybersecurity risk of operation for Department of Defense (DOD) does not meet the Warfighters need to quickly employ state-of-the-art Technology solutions in tactical systems.

Service Chiefs strive to provide new capabilities to the warfighter at a rapid rate.  This is sometimes referred to as “Speed to Capability.” Service Chiefs also have a responsibility to ensure that all Information Systems (IS) are resilient against Cyber attackers.  This defense is intended to ensure that sensitive information cannot be exfiltrated by an enemy, and that systems are able to resist a wide variety of attacks.  The determination that a system has a low risk of operation is referred to as Accreditation.

The DOD currently uses the Risk Management Framework (RMF)to determine Accreditation.  The RMF method of accreditation was developed by the National Institute of Standards and Technology (NIST).  This process for accreditation of IS is intended to cover a wide variety of IS implementations by all Federal agencies. Because most Federal IS are business-oriented networks, the RMF is geared towards assessing Enterprise networks. The same process is applied to Warfighter tactical Systems – this is not a good fit.

RMF is a very granular process, although it provides some latitude on what measures need to be implemented to achieve accreditation, it is a time-consuming process, taking a year or more to achieve accreditation. Meanwhile, Service Chiefs a have need to push state of the art improvements for our tactical systems in a timely manner.

If we are going to achieve the “Speed to Capability” for our tactical systems, The RMF needs to be significantly modified to recognize that Tactical Systems are not Enterprise Networks. Tactical systems require an alternative process to achieve accreditation to ensure our Warfighters have the best technology available in the tactical systems that defend our country.