Defense Department to introduce "recently revised Management Framework" by November's conclusion
The United States Department of Defense (DoD) is set to reveal significant changes in its approach to cybersecurity, with the revised Risk Management Framework (RMF) and a new concept called "mission network as-a-service" taking centre stage.
For seven years, the CMMC program has been in the making, described by Katie Arrington, the acting Defense Department chief information officer, as "beautiful." The revised RMF, a top discussion point in federal technology circles, aims to accelerate the acquisition of secure software and avoid the "two-year valley of death" associated with the current RMF process.
Two pilots have successfully gone through the Software Fast Track (SWFT) initiative within the DoD, marking the beginning of the overhaul of the RMF. The new RMF will include tenants such as continuous monitoring, re-evaluating cybersecurity service provider definitions, training, and education, and using continuous Authority to Operate (ATO).
The Pentagon is also working on a new concept called "mission network as-a-service." This initiative aims to collapse disparate mission networks across combatant commands into secret-level environments built on commercial cloud. The "mission network as-a-service" environment will include identity, credential, and access management (ICAM) capabilities, as well as "appropriate data label and data tagging."
Katie Arrington will unveil the "10 commandments" of the new RMF in the coming weeks. However, the person who will disclose these commandments is not publicly specified at this time.
The Cybersecurity Maturity Model Certification (CMMC) program is set to officially go into effect on Nov. 10. Alongside the revised RMF, the CMMC program forms part of the DoD's new cybersecurity initiatives.
In the secret-level environment, only the necessary data will be made secret as it traverses into other levels. This is in line with the DoD's efforts to streamline its cybersecurity processes and ensure the rapid acquisition of secure software.
For years, DoD officials have expressed concerns about the current RMF being too static and arduous. In recent years, military services and defense agencies have been adopting the continuous ATO process instead of the current RMF process.
By November 30, the department will release a revised DoD instruction on cybersecurity, replacing the current DoDi 8500, which was last updated in 2019. These changes reflect the DoD's commitment to enhancing its cybersecurity measures and adapting to the evolving threat landscape.
