ITIL and the DoD RMF - Part 1 of 3 - Introduction to the RMF
It’s October, and that means it’s National Cyber Security Awareness month, and that is the theme for this month’s entry.
The second Punic War, whose primary antagonists were the republic of Rome and her arch rival for supremacy of the Mediterranean, Carthage, provides an interesting anecdote. The war was fought on multiple fronts, including Spain, Gaul, Italy, Sicily, the Balearic islands, Greece, and Africa! There are many, many wonderful stories from this war, but the one I wish to relate today comes from the later campaign in Spain.
At the point I pick up (I’m relating the story as told by Livy), a Carthaginian army under two generals – Hanno and Mago - had entered a region of Spain known as Celtiberia and raised a force of that eponymous tribe to supplement their own forces brought from Africa. Against this force, the Roman commander, Scipio, sent Silanus with a force of infantry and cavalry, guided by Celtiberian deserters through the terrain to encounter the Carthaginian force.
The Roman commander was able to approach undetected, and found that his opponents had encamped separately, Celtiberians and Carthaginians, and far enough from each other so as to provide an opportunity to deal with each force independently. And that’s exactly what he did! Scouts reported that the Carthaginian camp was disciplined and in good order, with watches and pickets, while the Celtiberian camp lacked adequate watchfulness.
Silanus attacked the Celtiberians first, defeating them just outside the gates of their camp, then pivoted to deal with the Carthaginian light infantry, who had arrived too late from the other camp to influence the outcome, which was decided in favor of the Romans.
The outcome may have been very different if the two camps had coordinated their defense!
The history of cyber defense in the U.S. military may be interpreted as reflecting similar lessons – historically, probes and attacks of various Department of Defense (DoD) entities would encounter a variety of defense strategies and postures. The DoD risk management framework addresses the problem of an uncoordinated defense strategy, and provides organizations within DoD with a common approach, methodology, and standard for achieving an organized and cohesive cyber defense. (Think Mago ordering the Celtiberians to provide lookouts and pickets in the same fashion as the Carthaginians and then inspecting them rigorously to ensure that they had done so.)
The DoD Risk Management Framework (RMF) is defined in a document that is publicly available at this site - https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf. The RMF relies on publications from the National Institute of Standards and Technology (NIST) for the security standards it seeks to implement.
The desired outcome of implementing the RMF is an IT system that is reasonably secure from cyber attacks. To achieve this end six steps are defined. Firstly, the system must be categorized – what sort of system are we dealing with? To what degree is the system exposed to cyber attack? And how damaging would be the consequences of a successful attack?
After the system has been categorized, the second, and key, step occurs – selecting security controls. This is where those in charge of security for the system in question ask themselves, “from this NIST publication that defines all sorts of security controls, which do I think would help make my system more secure, and which don’t apply to this system?”.
In the third step, the controls that were selected in step 2 are implemented. IT controls are a whole other topic, but for here it suffices to say that the NIST document defines the controls for us and provides some guidance as to what a “good” control looks like.
The fourth step is assessing the controls that were implemented to ensure that they are performing as designed. (Think Deming – Plan, Do, Check, Act – this step is the “Check”). A “get well” plan is developed for any controls that fall short of the standard.
Step five is to authorize the system – to review the security plan and controls and bless off on the system. And finally, step six is to monitor and modify the plan and controls over time as changes occur.
So, as a person interested in ITIL, what does all this matter to you? On all kinds of levels is the answer, regardless of if you support DoD or not! And that is the subject of part two… For now, the summary is that the RMF seeks to provide a coordinated defense for DoD systems, and that it does so through the design and implementation of a set of security controls.
By the way, the second Punic War, aside from providing the introduction, is an absolutely fascinating period of history about which to read - full of dominant personalities, romance, intrigue, and iconic military actions. It’s exciting!