Navy looks beyond RMF to build cyber resilience

The Navy wants to fortify its cyber resilience to keep pace with rapid software development needs, but changing workforce habits has to come first.

Vice Adm. Jeffrey Trussler, the deputy chief of naval operations for information warfare and director of naval intelligence, called the risk management framework (RMF) process a "laborious" but necessary step to "get in the door" that doesn't guarantee protection against evolving cyber threats.

"You've got to do this if you want to walk through the door," Trussler said during a panel on cyber threats at Sea Air Space on Aug. 3. "Is that going to protect you? No, these are just kind of the known things you need to take care of. Very simple."

Trussler went on to say that once vulnerabilities from software and hardware vendors are known, the challenge is implementation across ships, planes and networked systems scattered globally.

"We do all of these things, but we still don't know. And those things get blown up when you get some intelligence that tells you, 'Oh [an adversary is] in the system or they're really working hard [to hack into] this system,'" he said.

That problem is complicated when mission applications are being continuously updated. Rear Adm. Susan BryerJoyner, the director of the Navy's cybersecurity division in the Office of the Chief of Naval Operations, said that as the Navy moves to embrace DevSecOps, which aims to incorporate security throughout the software development cycle, evolving RMF as part of that shift has proved challenging.

"Modernization and cybersecurity are my top two priorities. And I say that because I've got to modernize my infrastructure, where I can't modernize the infrastructure, I've got to figure out how I apply these new technologies because they're important and they give me visibility that I've never had before," BryerJoyner said during a NAVWAR cybersecurity breakout session Aug. 4.

"And not only do we have to modernize the infrastructure, we have to modernize our approach."

With legacy software development, BryerJoyner said there's "a certain level of mission assurance when it comes out the back end -- cybersecurity, not so much -- but mission assurance absolutely because we test the heck out of it.... How do I change that mindset moving from RMF of yesterday to RMF of tomorrow, where I have cloud based environments?"

BryerJoyner said that with DevSecOps, the key is maintaining confidence in applications that are constantly updated and maintaining the necessary authorities to operate because the standard RMF process can't keep up with the "speed and agility that we need to take advantage of this modern technology."

"It should not take a master's degree in RMF in order to put together a package," BryerJoyner said, adding that there's a working group dedicated to investigating technologies that can help with continuous monitoring that can determine whether a system is maintaining or if it has a potentially exploitable critical vulnerability.

"We're looking at what needs to change in order to support DevSecOps," BryerJoyner said. Part of that is done through RAISE, which stands for Rapid Assess and Incorporate Software Engineering process, and yields a certified software pipeline.

"What that required was encouraging the people that are actually in the process to interpret the guidance in a way that makes sense for the environment. So, part of the challenge with DevSecOps is the workforce development," BryerJoyner said.

"If I've authorized the environment it's going to operate in, and I've authorized the pipeline and security that's going to be in development, do I really need to look as hard at what's coming out?... These are the kinds of discussions that we're having."

The result, she said, could be a different policy interpretation or making it more explicit.

However, there's likely going to be a "constant loop" of threats and vulnerabilities, especially when software outpaces hardware. And for Trussler, that means forging more trusted partnerships and red teams to seek out and test weak spots.

"They're just things you're never going to fix.... We're not ever going to upgrade this software until we upgrade this hardware, and that's hard for a big fleet of ships," Trussler said Aug. 3.

"The intelligence and the red teams will really blow up what you think. And that's where I think we have to get more in partnerships and creativity and putting people who haven't built and haven't invested their time and energy to tell you it's cyber-safe or tell you it's not vulnerable, but let some creative people think like the adversary."

This article first appeared on FCW, a Defense Systems partner site.