1
1
00:00:15,000 --> 00:00:16,320
Welcome to Your Cyber Path.
2
2
00:00:16,320 --> 00:00:17,520
I'm Kip Boyle,
3
3
00:00:17,520 --> 00:00:19,740
and we've got a guest who actually works
4
4
00:00:19,740 --> 00:00:22,350
with the risk management framework a lot
5
5
00:00:22,350 --> 00:00:25,230
and has some insider knowledge
6
6
00:00:25,230 --> 00:00:27,240
on a particular tool
7
7
00:00:27,240 --> 00:00:29,790
that sort of advertises itself
8
8
00:00:29,790 --> 00:00:34,440
as a way of automating the risk management framework.
9
9
00:00:34,440 --> 00:00:37,320
Her name is Rebecca Onuskanich,
10
10
00:00:37,320 --> 00:00:39,900
and I hope to heck I said that right. (laughing)
11
11
00:00:39,900 --> 00:00:41,100
Good, Rebecca
12
12
00:00:41,100 --> 00:00:42,150
So, welcome.
13
13
00:00:42,150 --> 00:00:43,380
We're so glad you're here.
14
14
00:00:43,380 --> 00:00:45,480
Would you please tell the audience a little bit
15
15
00:00:45,480 --> 00:00:47,480
about yourself and the work that you do?
16
16
00:00:48,450 --> 00:00:49,440
Yeah. Hey, thanks Kip.
17
17
00:00:49,440 --> 00:00:51,060
Thanks for having me.
18
18
00:00:51,060 --> 00:00:51,893
So, as you mentioned,
19
19
00:00:51,893 --> 00:00:54,870
I do work with the risk management framework.
20
20
00:00:54,870 --> 00:00:56,490
Particularly, at this point in time,
21
21
00:00:56,490 --> 00:00:59,700
I'm working specifically in the Department of Defense,
22
22
00:00:59,700 --> 00:01:03,600
so most of my work is the Department of Defense's
23
23
00:01:03,600 --> 00:01:06,690
interpretation of the RMF process.
24
24
00:01:06,690 --> 00:01:08,730
I have worked in the federal agencies
25
25
00:01:08,730 --> 00:01:11,460
for quite a bit of years,
26
26
00:01:11,460 --> 00:01:13,470
but now, I'm back in the DOD.
27
27
00:01:13,470 --> 00:01:17,160
I started working in this space
28
28
00:01:17,160 --> 00:01:20,430
long before it was ever called the RMF process.
29
29
00:01:20,430 --> 00:01:24,990
So, I've been in DOD security compliance
30
30
00:01:24,990 --> 00:01:27,420
and information assurance for well over 20 years.
31
31
00:01:27,420 --> 00:01:29,280
So, I've seen it transition
32
32
00:01:29,280 --> 00:01:31,350
from very much keeping work process
33
33
00:01:31,350 --> 00:01:32,700
to where we're getting to this point
34
34
00:01:32,700 --> 00:01:36,930
of trying to automate the security configuration
35
35
00:01:36,930 --> 00:01:38,583
and compliance requirements.
36
36
00:01:39,485 --> 00:01:41,520
Again, I'm really happy you're here,
37
37
00:01:41,520 --> 00:01:44,760
because you're bringing a real depth of expertise
38
38
00:01:44,760 --> 00:01:48,360
to this topic for the benefit of our audience.
39
39
00:01:48,360 --> 00:01:53,360
And yeah, I recall my first experiences working
40
40
00:01:53,786 --> 00:01:55,230
kind of in this space,
41
41
00:01:55,230 --> 00:01:57,480
when I was on active duty in the Air Force,
42
42
00:01:57,480 --> 00:02:00,660
and let's just say it was primitive, (laughing)
43
43
00:02:00,660 --> 00:02:02,190
compared to what we're, you know,
44
44
00:02:02,190 --> 00:02:04,320
attempting to do now.
45
45
00:02:04,320 --> 00:02:06,120
Well, listen, everybody, as a reminder,
46
46
00:02:06,120 --> 00:02:09,960
RMF provides a process that integrates security, privacy,
47
47
00:02:09,960 --> 00:02:12,960
and cyber supply chain risk management activities
48
48
00:02:12,960 --> 00:02:15,510
all into a systems development life cycle.
49
49
00:02:15,510 --> 00:02:17,940
And there's seven steps in the process.
50
50
00:02:17,940 --> 00:02:21,420
So, I'll recap them now, and Rebecca,
51
51
00:02:21,420 --> 00:02:23,010
you can chime in and, you know,
52
52
00:02:23,010 --> 00:02:24,630
tell me if I get any of this wrong,
53
53
00:02:24,630 --> 00:02:25,860
'cause I know you have more experience
54
54
00:02:25,860 --> 00:02:27,060
with it than I do,
55
55
00:02:27,060 --> 00:02:30,660
but the first step is you have to prepare your organization
56
56
00:02:30,660 --> 00:02:33,120
to manage security and privacy risk.
57
57
00:02:33,120 --> 00:02:35,820
The second step is you have to categorize your system
58
58
00:02:35,820 --> 00:02:37,590
and the information that it processes,
59
59
00:02:37,590 --> 00:02:39,630
stores, and transmits.
60
60
00:02:39,630 --> 00:02:41,250
The third step is you got to get
61
61
00:02:41,250 --> 00:02:44,820
into NIST special publication 800-53,
62
62
00:02:44,820 --> 00:02:46,530
which is a catalog of controls,
63
63
00:02:46,530 --> 00:02:48,510
and you have to select the ones
64
64
00:02:48,510 --> 00:02:51,300
that are going to help you reduce risk.
65
65
00:02:51,300 --> 00:02:53,730
Step number four is you implement the controls,
66
66
00:02:53,730 --> 00:02:55,740
and you document how they're deployed.
67
67
00:02:55,740 --> 00:02:58,560
Step number five is you assess to determine
68
68
00:02:58,560 --> 00:03:00,000
if the controls are in place,
69
69
00:03:00,000 --> 00:03:01,980
that they're operating as they're supposed to,
70
70
00:03:01,980 --> 00:03:05,220
and that you're getting the correct results from them.
71
71
00:03:05,220 --> 00:03:09,360
Step number six is a senior official then is asked
72
72
00:03:09,360 --> 00:03:11,280
to make a risk-based decision
73
73
00:03:11,280 --> 00:03:13,410
to authorize the system to operate,
74
74
00:03:13,410 --> 00:03:15,540
you know, to become a production system.
75
75
00:03:15,540 --> 00:03:16,770
And then the seventh step is
76
76
00:03:16,770 --> 00:03:21,510
to continuously monitor the implementation of your controls
77
77
00:03:21,510 --> 00:03:23,460
and to make sure that the risks
78
78
00:03:23,460 --> 00:03:26,490
to your systems stay reasonable.
79
79
00:03:26,490 --> 00:03:27,759
What do you think Rebecca,
80
80
00:03:27,759 --> 00:03:30,420
was that an okay summary?
81
81
00:03:30,420 --> 00:03:31,740
That was perfect, yes.
82
82
00:03:31,740 --> 00:03:32,910
Okay, great.
83
83
00:03:32,910 --> 00:03:34,680
All right, so now, what I want to do is
84
84
00:03:34,680 --> 00:03:38,250
I want to really talk about using a particular tool
85
85
00:03:38,250 --> 00:03:41,040
to automate some of this work,
86
86
00:03:41,040 --> 00:03:43,050
'cause there's a lot to do here.
87
87
00:03:43,050 --> 00:03:45,630
And when we were doing pre-show prep,
88
88
00:03:45,630 --> 00:03:47,827
Rebecca was saying to me,
89
89
00:03:47,827 --> 00:03:51,360
"You know, Kip, this tool, called eMASS,
90
90
00:03:51,360 --> 00:03:53,310
it probably doesn't automate
91
91
00:03:53,310 --> 00:03:55,080
as much as people might think,"
92
92
00:03:55,080 --> 00:03:56,640
which was kind of surprising to me.
93
93
00:03:56,640 --> 00:03:58,470
I haven't used eMASS,
94
94
00:03:58,470 --> 00:04:01,230
but Rebecca, I was hoping you could kind of unpack
95
95
00:04:01,230 --> 00:04:02,850
that a little bit and tell people, you know,
96
96
00:04:02,850 --> 00:04:03,850
what does that mean?
97
97
00:04:05,220 --> 00:04:10,020
Yeah, so eMASS does definitely support the framework
98
98
00:04:10,020 --> 00:04:13,797
in walking through the actual RMF process.
99
99
00:04:13,797 --> 00:04:16,320
And you can do things like,
100
100
00:04:16,320 --> 00:04:18,423
when you put your system into eMASS,
101
101
00:04:19,500 --> 00:04:21,600
once you have a hardware list and a software list,
102
102
00:04:21,600 --> 00:04:24,510
and you do your Nessus vulnerability scanners,
103
103
00:04:24,510 --> 00:04:27,690
you do your security technical implementation guide
104
104
00:04:27,690 --> 00:04:29,070
or your STIG checklist,
105
105
00:04:29,070 --> 00:04:31,590
you can import that data into eMASS,
106
106
00:04:31,590 --> 00:04:34,200
and then it will correlate those findings.
107
107
00:04:34,200 --> 00:04:36,780
So, let's say that you run an ACAS scan,
108
108
00:04:36,780 --> 00:04:40,440
and there is a vulnerability associated with the software
109
109
00:04:40,440 --> 00:04:42,480
or a piece of hardware,
110
110
00:04:42,480 --> 00:04:45,450
it will associate that security control
111
111
00:04:45,450 --> 00:04:50,250
with that piece of software as a non-compliant item.
112
112
00:04:50,250 --> 00:04:52,080
But it's not going to actually do things
113
113
00:04:52,080 --> 00:04:55,620
like write all of your security documentation for you
114
114
00:04:55,620 --> 00:05:00,000
on how you do identification and authentication.
115
115
00:05:00,000 --> 00:05:03,240
You've actually got to do that work to put it into eMass.
116
116
00:05:03,240 --> 00:05:04,470
I see, okay.
117
117
00:05:04,470 --> 00:05:08,160
So, maybe eMASS would be better characterized
118
118
00:05:08,160 --> 00:05:10,320
as just like a data store
119
119
00:05:10,320 --> 00:05:12,270
and just a way to organize yourself.
120
120
00:05:12,270 --> 00:05:13,800
Do you think that's a more accurate description
121
121
00:05:13,800 --> 00:05:15,270
of what it does?
122
122
00:05:15,270 --> 00:05:18,360
Yeah, it does definitely keep all of your data,
123
123
00:05:18,360 --> 00:05:21,540
all of your system identification information,
124
124
00:05:21,540 --> 00:05:23,880
like, you do security categorization in there.
125
125
00:05:23,880 --> 00:05:26,430
So, we're talking step one, preparing.
126
126
00:05:26,430 --> 00:05:29,010
That's when we build our system in eMASS.
127
127
00:05:29,010 --> 00:05:31,530
When we start to move it or, step zero, prepare.
128
128
00:05:31,530 --> 00:05:33,750
Step one, we start to look
129
129
00:05:33,750 --> 00:05:35,400
at actually getting our team together.
130
130
00:05:35,400 --> 00:05:39,240
That's when we assign all of the individuals eMASS,
131
131
00:05:39,240 --> 00:05:42,360
and then we, you know, add things like our system name,
132
132
00:05:42,360 --> 00:05:45,090
start looking at what version are we working on,
133
133
00:05:45,090 --> 00:05:47,250
what network is it going on?
134
134
00:05:47,250 --> 00:05:50,040
And then, when we move into that categorization phase,
135
135
00:05:50,040 --> 00:05:51,300
eMASS does a very good job
136
136
00:05:51,300 --> 00:05:53,730
of helping us categorize our system
137
137
00:05:53,730 --> 00:05:57,300
based on NIST Special Publication 800-60 Volume II,
138
138
00:05:57,300 --> 00:06:00,764
and then select our security controls from there.
139
139
00:06:00,764 --> 00:06:01,620
Okay, okay.
140
140
00:06:01,620 --> 00:06:02,880
So, eMASS is helpful,
141
141
00:06:02,880 --> 00:06:06,900
I guess is my takeaway from this part of our conversation.
142
142
00:06:06,900 --> 00:06:08,250
And so, it's worth us, you know,
143
143
00:06:08,250 --> 00:06:11,100
spending some more time on the episode now to, you know,
144
144
00:06:11,100 --> 00:06:12,420
kind of understand it a little bit better.
145
145
00:06:12,420 --> 00:06:15,210
And I suppose I should probably stop at this point
146
146
00:06:15,210 --> 00:06:18,810
and tell people that eMASS is an acronym,
147
147
00:06:18,810 --> 00:06:20,010
and it actually stands for
148
148
00:06:20,010 --> 00:06:23,520
Enterprise Mission Assurance Support Service.
149
149
00:06:23,520 --> 00:06:24,570
I'm sure, Rebecca,
150
150
00:06:24,570 --> 00:06:27,480
you probably have other names for it, (laughing)
151
151
00:06:27,480 --> 00:06:30,810
probably in frustration, but that's- (laughing)
152
152
00:06:30,810 --> 00:06:33,063
I think that's the proper name.
153
153
00:06:34,500 --> 00:06:38,940
So, let's talk about how you use RMF in your work
154
154
00:06:38,940 --> 00:06:41,820
before we really start talking about eMASS,
155
155
00:06:41,820 --> 00:06:43,643
because my understanding is, you know,
156
156
00:06:43,643 --> 00:06:47,370
RMF and eMASS are kind of a one-size-fits-all
157
157
00:06:47,370 --> 00:06:51,090
sort of a thing, but not everybody's doing the same kind
158
158
00:06:51,090 --> 00:06:53,610
of work at the same scale.
159
159
00:06:53,610 --> 00:06:57,633
So, how do you use RMF, and let's start there.
160
160
00:06:58,710 --> 00:07:02,070
Yeah. So, I come from a tactical world.
161
161
00:07:02,070 --> 00:07:05,280
So I come from a, we've got a mission coming up.
162
162
00:07:05,280 --> 00:07:06,630
It starts on Sunday.
163
163
00:07:06,630 --> 00:07:08,580
We have to get a system authorized
164
164
00:07:08,580 --> 00:07:12,003
and out to the field for a military user.
165
165
00:07:13,143 --> 00:07:16,153
And so, when we use RMF in that process,
166
166
00:07:16,153 --> 00:07:17,220
it's much more agile,
167
167
00:07:17,220 --> 00:07:20,220
it's how to be adapted to be flexible,
168
168
00:07:20,220 --> 00:07:22,410
and it's all mission focused.
169
169
00:07:22,410 --> 00:07:26,490
And when we start looking at system categorization,
170
170
00:07:26,490 --> 00:07:29,490
it's more based not only just around confidentiality,
171
171
00:07:29,490 --> 00:07:30,780
integrity and availability,
172
172
00:07:30,780 --> 00:07:34,320
but we are also looking at the mission aspect of that.
173
173
00:07:34,320 --> 00:07:36,320
So, when you start thinking about things
174
174
00:07:37,171 --> 00:07:41,490
like weapon systems, IOT,
175
175
00:07:44,310 --> 00:07:47,430
you have very unique requirements in those systems
176
176
00:07:47,430 --> 00:07:49,770
where they can't necessarily implement
177
177
00:07:49,770 --> 00:07:51,360
what would be selected
178
178
00:07:51,360 --> 00:07:53,670
from a baseline categorization,
179
179
00:07:53,670 --> 00:07:55,170
from a CIA perspective.
180
180
00:07:55,170 --> 00:07:57,240
So, that's when tailoring comes in.
181
181
00:07:57,240 --> 00:08:01,080
Tailoring is a key part of the control selection process
182
182
00:08:01,080 --> 00:08:05,400
that, in my experience, a lot of people forget
183
183
00:08:05,400 --> 00:08:09,270
that RMF is the framework that is to be adapted
184
184
00:08:09,270 --> 00:08:13,740
by organizations, and it provides the executive leadership
185
185
00:08:13,740 --> 00:08:17,580
in those organizations to make decisions
186
186
00:08:17,580 --> 00:08:19,140
on how they're going to adapt that framework
187
187
00:08:19,140 --> 00:08:21,210
for their systems and their missions.
188
188
00:08:21,210 --> 00:08:23,160
And that's really what's left out a lot
189
189
00:08:24,183 --> 00:08:27,480
in the DOD's implementation and interpretation of the RMF.
190
190
00:08:27,480 --> 00:08:29,880
Hmm. Is this tailoring aspect that,
191
191
00:08:29,880 --> 00:08:34,590
that people are expected to adapt the RMF
192
192
00:08:34,590 --> 00:08:37,500
to their specific situation? Is that right?
193
193
00:08:37,500 --> 00:08:38,580
That's correct, yes.
194
194
00:08:38,580 --> 00:08:39,859
Yeah,
195
195
00:08:39,859 --> 00:08:40,932
and I would think that,
196
196
00:08:40,932 --> 00:08:43,110
especially newer people to RMF would,
197
197
00:08:43,110 --> 00:08:45,660
would actually find that maybe a little bit intimidating
198
198
00:08:45,660 --> 00:08:47,820
or maybe a little bit like scary,
199
199
00:08:47,820 --> 00:08:50,130
'cause it's like, no, I want a checklist.
200
200
00:08:50,130 --> 00:08:51,960
What do you mean it's not a checklist, right?
201
201
00:08:51,960 --> 00:08:55,890
I mean, do you think that's part of maybe what's going on?
202
202
00:08:55,890 --> 00:08:57,450
Yeah, and like you,
203
203
00:08:57,450 --> 00:08:59,370
I was Air Force before I enlisted,
204
204
00:08:59,370 --> 00:09:02,190
and everything is standard operating procedure,
205
205
00:09:02,190 --> 00:09:04,350
TTP, we follow a checklist,
206
206
00:09:04,350 --> 00:09:06,300
you don't deviate from the checklist,
207
207
00:09:06,300 --> 00:09:08,310
'cause there's safety concerns,
208
208
00:09:08,310 --> 00:09:09,720
there's mission concerns.
209
209
00:09:09,720 --> 00:09:12,870
So, when we talk cybersecurity and RMF,
210
210
00:09:12,870 --> 00:09:17,310
and it being such an interpretable process,
211
211
00:09:17,310 --> 00:09:21,210
it's very difficult for us to kind of adapt our mindset
212
212
00:09:21,210 --> 00:09:22,620
to be able to say, wait,
213
213
00:09:22,620 --> 00:09:24,930
we can actually critically think
214
214
00:09:24,930 --> 00:09:27,360
about the system design aspects,
215
215
00:09:27,360 --> 00:09:30,900
the security requirements, the mission, the users,
216
216
00:09:30,900 --> 00:09:32,220
and put all that together,
217
217
00:09:32,220 --> 00:09:34,980
and, as a team, sit down and decide
218
218
00:09:34,980 --> 00:09:38,743
what is the tailoring aspects of this system,
219
219
00:09:38,743 --> 00:09:41,310
the baseline and the tailored controls,
220
220
00:09:41,310 --> 00:09:44,190
and then get that authorizing official
221
221
00:09:44,190 --> 00:09:46,350
or that AO's buy-in very early.
222
222
00:09:46,350 --> 00:09:48,334
So, we designed the system
223
223
00:09:48,334 --> 00:09:49,560
where it is not over-engineered
224
224
00:09:49,560 --> 00:09:50,820
from a security perspective,
225
225
00:09:50,820 --> 00:09:53,220
but it's also protecting the data,
226
226
00:09:53,220 --> 00:09:54,480
the users, and the mission.
227
227
00:09:54,480 --> 00:09:55,653
Yeah. Yeah.
228
228
00:09:56,640 --> 00:09:58,470
And, do you think there's a risk that,
229
229
00:09:58,470 --> 00:10:01,958
as people try to tailor RMF for their situation,
230
230
00:10:01,958 --> 00:10:05,010
that they might make some big mistakes,
231
231
00:10:05,010 --> 00:10:06,720
as far as like, they might leave things out
232
232
00:10:06,720 --> 00:10:08,100
that they really shouldn't leave out?
233
233
00:10:08,100 --> 00:10:10,620
I mean, is there a lot of risk, you know,
234
234
00:10:10,620 --> 00:10:13,410
that people are really going to mess up the tailoring?
235
235
00:10:13,410 --> 00:10:14,243
Yes.
236
236
00:10:14,243 --> 00:10:15,390
Tailoring is one of those things,
237
237
00:10:15,390 --> 00:10:18,660
and that's why we have such a hard time with it, the DOD.
238
238
00:10:18,660 --> 00:10:20,250
And I have seen instances
239
239
00:10:20,250 --> 00:10:21,960
where things have been tailored out
240
240
00:10:21,960 --> 00:10:25,830
that actually increase the risk to the user
241
241
00:10:25,830 --> 00:10:28,740
on the system, and that has to be sent
242
242
00:10:28,740 --> 00:10:30,540
to the authorizing official
243
243
00:10:30,540 --> 00:10:32,760
to help make that determination,
244
244
00:10:32,760 --> 00:10:35,144
because there is a cost to all of this, right?
245
245
00:10:35,144 --> 00:10:35,977
Yeah.
246
246
00:10:35,977 --> 00:10:38,460
And especially, as someone who's worked as, you know,
247
247
00:10:38,460 --> 00:10:40,680
a security manager, a security engineer,
248
248
00:10:40,680 --> 00:10:42,450
we all think cost, we all think budget,
249
249
00:10:42,450 --> 00:10:43,623
we all think schedules.
250
250
00:10:44,520 --> 00:10:47,730
And that's where we're having a pretty large disconnect
251
251
00:10:47,730 --> 00:10:51,690
in the DOD, is that we have our main area of expertise
252
252
00:10:51,690 --> 00:10:53,280
and our focus, and we're concern
253
253
00:10:53,280 --> 00:10:57,810
on securing data connections, users, risk.
254
254
00:10:57,810 --> 00:11:00,780
I mean, cost and schedules,
255
255
00:11:00,780 --> 00:11:04,050
that's program managers, that's program office,
256
256
00:11:04,050 --> 00:11:05,070
that's not our concern.
257
257
00:11:05,070 --> 00:11:06,690
And that's where we,
258
258
00:11:06,690 --> 00:11:09,510
we really start to disconnect in the DOD.
259
259
00:11:09,510 --> 00:11:10,800
Okay.
260
260
00:11:10,800 --> 00:11:11,760
This is so helpful.
261
261
00:11:11,760 --> 00:11:13,500
I mean, I think for anybody who hasn't worked
262
262
00:11:13,500 --> 00:11:16,560
with RMF for very long, or maybe they have,
263
263
00:11:16,560 --> 00:11:18,300
and they just find it really frustrating,
264
264
00:11:18,300 --> 00:11:20,820
I would hope this conversation would be really helpful
265
265
00:11:20,820 --> 00:11:22,860
to them to get them grounded
266
266
00:11:22,860 --> 00:11:24,780
on how you actually do this stuff.
267
267
00:11:24,780 --> 00:11:26,130
I'm interested though, Rebecca,
268
268
00:11:26,130 --> 00:11:30,180
would you kind of tell us how you got into RMF?
269
269
00:11:30,180 --> 00:11:31,410
Like, you know, where did this-
270
270
00:11:31,410 --> 00:11:32,910
Where did RMF start for you?
271
271
00:11:32,910 --> 00:11:34,230
Because to your point, you know,
272
272
00:11:34,230 --> 00:11:37,260
you started doing this work before RMF came along,
273
273
00:11:37,260 --> 00:11:41,135
but yeah, how did you and RMF meet?
274
274
00:11:41,135 --> 00:11:44,340
Yeah, I was actually military intelligence,
275
275
00:11:44,340 --> 00:11:49,100
and I took an assign networking for central command,
276
276
00:11:49,100 --> 00:11:50,580
and I got into it
277
277
00:11:50,580 --> 00:11:53,820
when it was still called information insurance.
278
278
00:11:53,820 --> 00:11:56,280
So, before the cybersecurity terminology.
279
279
00:11:56,280 --> 00:11:57,510
I remember that.
280
280
00:11:57,510 --> 00:11:58,710
Yes.
281
281
00:11:58,710 --> 00:12:02,280
Back in the pre-DITSCAP, then DITSCAP,
282
282
00:12:02,280 --> 00:12:04,290
and then DIACAP days,
283
283
00:12:04,290 --> 00:12:06,540
and then, actually, I got into RMF
284
284
00:12:06,540 --> 00:12:08,850
when I separated from the Air Force
285
285
00:12:08,850 --> 00:12:11,370
and started working for the federal agencies.
286
286
00:12:11,370 --> 00:12:15,630
And so, they were already following the 800-37 framework
287
287
00:12:15,630 --> 00:12:17,221
at that time.
288
288
00:12:17,221 --> 00:12:19,530
And so, I had to learn their process
289
289
00:12:19,530 --> 00:12:21,030
and how they do things.
290
290
00:12:21,030 --> 00:12:23,280
And then, once I learned that,
291
291
00:12:23,280 --> 00:12:27,093
and the DOD switched to the 8510.01 under the RMF,
292
292
00:12:28,200 --> 00:12:30,600
I started getting a lot more clients
293
293
00:12:30,600 --> 00:12:33,210
who were selling to the DOD
294
294
00:12:33,210 --> 00:12:35,640
who needed to understand this new RMF process
295
295
00:12:35,640 --> 00:12:39,477
and how to secure and sell to the Department of Defense.
296
296
00:12:39,477 --> 00:12:40,672
Ah, okay.
297
297
00:12:40,672 --> 00:12:42,060
Okay. Well, and you know,
298
298
00:12:42,060 --> 00:12:44,670
that's another interesting story that I would love to talk
299
299
00:12:44,670 --> 00:12:46,590
with you about, probably not during the episode today,
300
300
00:12:46,590 --> 00:12:50,160
but I think what you said is
301
301
00:12:50,160 --> 00:12:52,230
that you are actually a business owner, right?
302
302
00:12:52,230 --> 00:12:56,280
That you kind of launched your own company
303
303
00:12:56,280 --> 00:12:59,610
in order to help, but from a civilian point of view.
304
304
00:12:59,610 --> 00:13:01,110
Is that right?
305
305
00:13:01,110 --> 00:13:02,250
That's correct, yes.
306
306
00:13:02,250 --> 00:13:03,848
And you know what,
307
307
00:13:03,848 --> 00:13:05,400
I don't see a lot of people who leave the military
308
308
00:13:05,400 --> 00:13:06,600
who start their own businesses.
309
309
00:13:06,600 --> 00:13:10,383
I think that's a fairly uncommon thing.
310
310
00:13:10,383 --> 00:13:12,540
That's what I did eventually,
311
311
00:13:12,540 --> 00:13:14,730
but it took me a while to get there,
312
312
00:13:14,730 --> 00:13:16,260
but I just want to congratulate you
313
313
00:13:16,260 --> 00:13:18,540
for taking the road less traveled.
314
314
00:13:18,540 --> 00:13:20,370
So, I just think it's really cool.
315
315
00:13:20,370 --> 00:13:21,750
Thanks!
316
316
00:13:21,750 --> 00:13:22,583
Yeah, you're welcome.
317
317
00:13:22,583 --> 00:13:23,940
So, let's move on.
318
318
00:13:23,940 --> 00:13:26,580
Let's continue to unpack this, you know,
319
319
00:13:26,580 --> 00:13:29,880
how does RMF, you know, work in the real world?
320
320
00:13:29,880 --> 00:13:31,260
And I think a big part of that
321
321
00:13:31,260 --> 00:13:32,250
is something you said earlier,
322
322
00:13:32,250 --> 00:13:34,440
which is, okay, well we've got RMF,
323
323
00:13:34,440 --> 00:13:37,260
it's documented, we have to tailor it,
324
324
00:13:37,260 --> 00:13:39,030
but it's kind of a one-size-fits-all thing.
325
325
00:13:39,030 --> 00:13:42,450
It doesn't really anticipate, you know, every use case,
326
326
00:13:42,450 --> 00:13:44,790
but so, how do you actually use it, right?
327
327
00:13:44,790 --> 00:13:47,340
How do you make the best use of it,
328
328
00:13:47,340 --> 00:13:50,343
given that it's such a slippery kind of thing?
329
329
00:13:51,330 --> 00:13:54,480
So, right now, I'm in a situation
330
330
00:13:54,480 --> 00:13:55,800
that I am actually starting
331
331
00:13:55,800 --> 00:13:58,230
to help the acquisition community.
332
332
00:13:58,230 --> 00:14:03,120
So, the acquisition community puts on government contracts,
333
333
00:14:03,120 --> 00:14:05,790
the requirements for security, right?
334
334
00:14:05,790 --> 00:14:07,380
And typically in the past,
335
335
00:14:07,380 --> 00:14:10,740
it would be, you have to comply with DOD 8510.01.
336
336
00:14:10,740 --> 00:14:12,793
Well, okay, that's a very- (chuckles)
337
337
00:14:12,793 --> 00:14:14,940
A very large assumption is made there,
338
338
00:14:14,940 --> 00:14:18,300
that anyone even understands the instructions to begin with.
339
339
00:14:18,300 --> 00:14:20,880
And then how to interpret it and how to, you know,
340
340
00:14:20,880 --> 00:14:23,250
select their baseline and then tailor.
341
341
00:14:23,250 --> 00:14:27,300
So, what we've been working on recently is
342
342
00:14:27,300 --> 00:14:29,100
developing acquisition language,
343
343
00:14:29,100 --> 00:14:31,920
so that, when something gets put on contract,
344
344
00:14:31,920 --> 00:14:35,280
the contractor, the integrator, the developer,
345
345
00:14:35,280 --> 00:14:36,870
even a small business like me,
346
346
00:14:36,870 --> 00:14:40,350
I understand exactly what I'm selling to the government,
347
347
00:14:40,350 --> 00:14:41,353
because I-
348
348
00:14:41,353 --> 00:14:43,620
I mean, something as simple as encryption type,
349
349
00:14:43,620 --> 00:14:45,870
that I have to build into software,
350
350
00:14:45,870 --> 00:14:48,363
can vastly change the cost, right?
351
351
00:14:48,363 --> 00:14:51,540
So, I have to bring in someone that understands the-
352
352
00:14:51,540 --> 00:14:55,173
A Type 2 encrypter versus a FIPS 140 encryption mechanism.
353
353
00:14:56,310 --> 00:14:59,550
The cost of that type of engineer vary significantly
354
354
00:14:59,550 --> 00:15:01,920
and the amount of time it'll take to develop.
355
355
00:15:01,920 --> 00:15:05,190
So, actually getting into the acquisition cycle is going
356
356
00:15:05,190 --> 00:15:07,200
to be key to actually being able
357
357
00:15:07,200 --> 00:15:10,560
to implement RMF correctly across the DOD.
358
358
00:15:10,560 --> 00:15:11,393
Mm.
359
359
00:15:12,330 --> 00:15:14,400
And right now, there's a lot of,
360
360
00:15:14,400 --> 00:15:16,140
I don't want to say animosity,
361
361
00:15:16,140 --> 00:15:18,870
but there is quite a bit of frustration
362
362
00:15:18,870 --> 00:15:21,090
with the RMF process in the DOD.
363
363
00:15:21,090 --> 00:15:23,583
And I really think that's because the way
364
364
00:15:23,583 --> 00:15:25,800
that it was rolled out, it was-
365
365
00:15:25,800 --> 00:15:27,450
The way it was trained
366
366
00:15:27,450 --> 00:15:29,670
to all of the security managers,
367
367
00:15:29,670 --> 00:15:32,700
it was very much checklist mentality,
368
368
00:15:32,700 --> 00:15:35,340
let's categorize the system,
369
369
00:15:35,340 --> 00:15:38,100
no real tailoring was implemented,
370
370
00:15:38,100 --> 00:15:41,367
and it was a very rigid interpretation of the framework.
371
371
00:15:41,367 --> 00:15:43,650
Ah, so we're kind of our own worst enemies, right?
372
372
00:15:43,650 --> 00:15:46,170
Going back to a previous part of our conversation,
373
373
00:15:46,170 --> 00:15:48,600
where we were talking about how necessary it is
374
374
00:15:48,600 --> 00:15:49,860
to tailor it, but that our-
375
375
00:15:49,860 --> 00:15:51,990
The dominant culture is to not do that.
376
376
00:15:51,990 --> 00:15:54,267
The dominant culture is to be very rigid
377
377
00:15:54,267 --> 00:15:55,830
and to follow checklists.
378
378
00:15:55,830 --> 00:15:57,690
And what I'm hearing you say is, yeah,
379
379
00:15:57,690 --> 00:16:00,030
that's actually how they trained us to do it,
380
380
00:16:00,030 --> 00:16:04,080
which is not very enabling of the intent.
381
381
00:16:04,080 --> 00:16:06,810
And yeah, so I could see a lot of people
382
382
00:16:06,810 --> 00:16:10,770
would be frustrated by that, for sure.
383
383
00:16:10,770 --> 00:16:13,830
So, okay, so, is that how you were trained
384
384
00:16:13,830 --> 00:16:16,980
and you know, how did you work through that
385
385
00:16:16,980 --> 00:16:20,190
to be able to use RMF the way it was intended
386
386
00:16:20,190 --> 00:16:22,410
versus the way you were trained?
387
387
00:16:22,410 --> 00:16:24,453
I think that for me,
388
388
00:16:26,201 --> 00:16:27,601
I think it was my leadership
389
389
00:16:28,924 --> 00:16:32,640
and the fact that I come from a tactical environment,
390
390
00:16:32,640 --> 00:16:34,080
it was fast-moving.
391
391
00:16:34,080 --> 00:16:36,900
Our leadership all the way up the chain understood
392
392
00:16:36,900 --> 00:16:39,570
that security is a priority,
393
393
00:16:39,570 --> 00:16:44,190
but also, mission effectiveness is a higher priority.
394
394
00:16:44,190 --> 00:16:47,040
So, trying to balance those two things,
395
395
00:16:47,040 --> 00:16:50,700
we were able to have those very open conversations
396
396
00:16:50,700 --> 00:16:51,930
as to, "Okay, that's fine.
397
397
00:16:51,930 --> 00:16:55,230
We don't have time to acquire this encryption that we need,
398
398
00:16:55,230 --> 00:16:58,613
or we don't have time to implement this, you know,
399
399
00:16:58,613 --> 00:17:03,613
AV solution, and if you want to field it, that's a risk,
400
400
00:17:03,837 --> 00:17:05,190
and we have to understand
401
401
00:17:05,190 --> 00:17:07,137
what are the consequences of those risks."
402
402
00:17:07,137 --> 00:17:09,753
And so, having a leadership-
403
403
00:17:11,460 --> 00:17:12,690
Having the leadership in place
404
404
00:17:12,690 --> 00:17:16,620
that understood that we could make these trade-offs,
405
405
00:17:16,620 --> 00:17:19,380
but we needed to understand what we were trading off
406
406
00:17:19,380 --> 00:17:22,080
to ensure that we are doing our due diligence
407
407
00:17:22,080 --> 00:17:25,473
to protect the data, the users, and the missions.
408
408
00:17:26,370 --> 00:17:28,071
Okay. So, in other words,
409
409
00:17:28,071 --> 00:17:30,337
my interpretation of what you just said is,
410
410
00:17:30,337 --> 00:17:32,100
"Well, I went and got this training on RMF,
411
411
00:17:32,100 --> 00:17:35,186
and then I went to the real world." (laughing)
412
412
00:17:35,186 --> 00:17:39,480
And the real world said, "Hmm, we have to do a little,
413
413
00:17:39,480 --> 00:17:40,890
you have to do things a little differently,"
414
414
00:17:40,890 --> 00:17:43,050
because, real world, right?
415
415
00:17:43,050 --> 00:17:45,060
We've got to balance all these competing priorities,
416
416
00:17:45,060 --> 00:17:46,950
and at the end of the day,
417
417
00:17:46,950 --> 00:17:48,810
we've got to accomplish the mission, right?
418
418
00:17:48,810 --> 00:17:50,280
Whatever that takes.
419
419
00:17:50,280 --> 00:17:53,580
And so, those are the real world, you know,
420
420
00:17:53,580 --> 00:17:55,680
kind of trade-offs that a person has to make.
421
421
00:17:55,680 --> 00:17:59,160
So, yeah, so I guess maybe something that I would say
422
422
00:17:59,160 --> 00:18:01,350
to people is, if you're learning RMF,
423
423
00:18:01,350 --> 00:18:03,360
or maybe you've already been through the training
424
424
00:18:03,360 --> 00:18:05,130
and you're struggling with it,
425
425
00:18:05,130 --> 00:18:07,020
what I'm hearing is, you know,
426
426
00:18:07,020 --> 00:18:10,320
lean into the reality of the situation that you're in,
427
427
00:18:10,320 --> 00:18:11,430
and you know,
428
428
00:18:11,430 --> 00:18:13,260
draw what you can from RMF,
429
429
00:18:13,260 --> 00:18:15,900
but don't be such a slave to RMF
430
430
00:18:15,900 --> 00:18:18,060
that you can't get your mission accomplished.
431
431
00:18:18,060 --> 00:18:20,790
Is that like a reasonable way to kind of summarize
432
432
00:18:20,790 --> 00:18:22,410
what you were saying?
433
433
00:18:22,410 --> 00:18:23,310
Yes it is.
434
434
00:18:23,310 --> 00:18:26,220
Oh, and the one thing I'm always very adamant
435
435
00:18:26,220 --> 00:18:29,670
about telling people is that, make sure you're truthful.
436
436
00:18:29,670 --> 00:18:31,500
So, even when you're putting together,
437
437
00:18:31,500 --> 00:18:33,690
like your security plan,
438
438
00:18:33,690 --> 00:18:37,380
if you're not doing something annotated in there,
439
439
00:18:37,380 --> 00:18:40,320
documented, be truthful, you know,
440
440
00:18:40,320 --> 00:18:42,000
do a risk analysis on it,
441
441
00:18:42,000 --> 00:18:44,830
determine what risks that bring to the system
442
442
00:18:45,930 --> 00:18:49,863
and what are some mitigations that can be put into place,
443
443
00:18:51,000 --> 00:18:52,530
and then document all of that,
444
444
00:18:52,530 --> 00:18:54,510
so you can communicate that up to leadership,
445
445
00:18:54,510 --> 00:18:56,640
because, as you mentioned earlier,
446
446
00:18:56,640 --> 00:18:59,310
that authorizing official has to sign off on it,
447
447
00:18:59,310 --> 00:19:01,140
and they need to actually understand
448
448
00:19:01,140 --> 00:19:05,040
the reality of the situation, not a clouded view.
449
449
00:19:05,040 --> 00:19:05,873
Yeah.
450
450
00:19:05,873 --> 00:19:08,460
And it's not reasonable to expect an authorizing official
451
451
00:19:08,460 --> 00:19:10,533
to really even understand RMF, is it?
452
452
00:19:11,970 --> 00:19:13,560
I think, yes,
453
453
00:19:13,560 --> 00:19:15,270
I mean, a part of their training
454
454
00:19:15,270 --> 00:19:16,770
to be an authorizing official,
455
455
00:19:16,770 --> 00:19:19,260
they're supposed to actually take training
456
456
00:19:19,260 --> 00:19:20,670
in the RMF process.
457
457
00:19:20,670 --> 00:19:24,120
And those that I have worked with recently are pretty aware
458
458
00:19:24,120 --> 00:19:27,060
of the RMF process and frustrated with it, right?
459
459
00:19:27,060 --> 00:19:29,820
Because it is holding up some progress.
460
460
00:19:29,820 --> 00:19:34,807
It is making the system development life cycle take longer.
461
461
00:19:34,807 --> 00:19:35,997
Yeah, okay.
462
462
00:19:35,997 --> 00:19:38,010
And from my experience,
463
463
00:19:38,010 --> 00:19:41,036
all that hold up is in the middle tier.
464
464
00:19:41,036 --> 00:19:43,170
It's all of those middle.
465
465
00:19:43,170 --> 00:19:45,780
The leadership, they want to be able
466
466
00:19:45,780 --> 00:19:47,430
to make those decisions quickly.
467
467
00:19:47,430 --> 00:19:49,500
They want to be able to move quickly,
468
468
00:19:49,500 --> 00:19:51,000
but we're holding it up in the middle
469
469
00:19:51,000 --> 00:19:54,030
with this whole checklist mentality problem we're having.
470
470
00:19:54,030 --> 00:19:55,170
Okay, right.
471
471
00:19:55,170 --> 00:19:56,490
And you'd mentioned that before.
472
472
00:19:56,490 --> 00:20:00,900
Now, in DOD anyway, you had told me previously,
473
473
00:20:00,900 --> 00:20:03,060
when we were talking about, you know,
474
474
00:20:03,060 --> 00:20:05,220
the episode here we're doing our preparations,
475
475
00:20:05,220 --> 00:20:08,400
and you said DOD has some initiatives
476
476
00:20:08,400 --> 00:20:10,710
to try and address these issues
477
477
00:20:10,710 --> 00:20:13,410
and to actually revise RMF.
478
478
00:20:13,410 --> 00:20:14,643
What are you seeing?
479
479
00:20:15,600 --> 00:20:18,750
Yeah, we're seeing what's called RMF 2.0.
480
480
00:20:18,750 --> 00:20:22,920
We're seeing the Fast-Track RMF, or Best-Track ATO.
481
481
00:20:22,920 --> 00:20:26,160
We're seeing Continuous ATO.
482
482
00:20:26,160 --> 00:20:29,190
So, depending on where you're at in the DOD,
483
483
00:20:29,190 --> 00:20:31,020
it's being called a different name,
484
484
00:20:31,020 --> 00:20:34,350
but really it, kind of, peel all the layers to it,
485
485
00:20:34,350 --> 00:20:35,910
what it means is,
486
486
00:20:35,910 --> 00:20:39,060
do very good system security engineering,
487
487
00:20:39,060 --> 00:20:42,930
design systems that can be continuously monitored,
488
488
00:20:42,930 --> 00:20:45,900
monitor those systems, monitor the risk,
489
489
00:20:45,900 --> 00:20:48,390
continue to report that risk up,
490
490
00:20:48,390 --> 00:20:53,130
and then your ATO should continue to flow.
491
491
00:20:53,130 --> 00:20:54,330
Mm. Okay.
492
492
00:20:54,330 --> 00:20:57,150
Now, let's define that term for a moment, ATO,
493
493
00:20:57,150 --> 00:20:59,160
'cause I don't think we've defined it yet,
494
494
00:20:59,160 --> 00:21:00,240
but we've been using it.
495
495
00:21:00,240 --> 00:21:01,073
So, what's ATO?
496
496
00:21:02,040 --> 00:21:04,710
So, your ATO is your authorization to operate.
497
497
00:21:04,710 --> 00:21:07,860
So, for the DOD, it's what allows you
498
498
00:21:07,860 --> 00:21:12,120
to take a system and actually use it as a DOD entity.
499
499
00:21:12,120 --> 00:21:14,250
So, rather that's a standalone system,
500
500
00:21:14,250 --> 00:21:16,740
or it's connected to some type of network
501
501
00:21:16,740 --> 00:21:18,765
or cloud environment.
502
502
00:21:18,765 --> 00:21:19,680
Okay. Okay, got it.
503
503
00:21:19,680 --> 00:21:20,513
So, which-
504
504
00:21:20,513 --> 00:21:25,470
Do you have an opinion of your own, as far as,
505
505
00:21:25,470 --> 00:21:29,130
you know, RMF 2.0, Fast-Track ATO, Continuous ATO,
506
506
00:21:29,130 --> 00:21:31,350
do you think that they're headed in the right direction
507
507
00:21:31,350 --> 00:21:34,950
in terms of addressing what the real, you know,
508
508
00:21:34,950 --> 00:21:38,343
issue is with RMF and making it more useful?
509
509
00:21:40,710 --> 00:21:42,150
I mean, any steps
510
510
00:21:42,150 --> 00:21:44,853
for an improvement are helpful, obviously.
511
511
00:21:45,810 --> 00:21:48,180
Some of those processes have, kind of,
512
512
00:21:48,180 --> 00:21:50,190
a subset of control in the beginning
513
513
00:21:50,190 --> 00:21:51,420
that are implemented,
514
514
00:21:51,420 --> 00:21:54,570
and then as you move through your ATO process,
515
515
00:21:54,570 --> 00:21:57,840
you implement more and more security controls.
516
516
00:21:57,840 --> 00:21:59,550
But really, a lot of that should have been done
517
517
00:21:59,550 --> 00:22:00,990
in the development life cycle
518
518
00:22:00,990 --> 00:22:04,230
for developing software for a system
519
519
00:22:04,230 --> 00:22:06,450
that has multiple pieces of software.
520
520
00:22:06,450 --> 00:22:08,793
We should have already have done most of that.
521
521
00:22:09,720 --> 00:22:11,670
So, I think the initiatives are good.
522
522
00:22:11,670 --> 00:22:13,500
I don't think they're, you know,
523
523
00:22:13,500 --> 00:22:15,480
the final be all that'll get us
524
524
00:22:15,480 --> 00:22:17,310
to where we need to be.
525
525
00:22:17,310 --> 00:22:19,315
I honestly believe that a lot of it
526
526
00:22:19,315 --> 00:22:21,394
is coming down to the training.
527
527
00:22:21,394 --> 00:22:23,083
Mm, okay, okay.
528
528
00:22:23,083 --> 00:22:24,480
That's really interesting.
529
529
00:22:24,480 --> 00:22:28,980
So again, it's not that RMF itself is so much of an issue,
530
530
00:22:28,980 --> 00:22:33,180
it's just the culture, the institution, right?
531
531
00:22:33,180 --> 00:22:37,110
Trying to evolve itself to this kind of,
532
532
00:22:37,110 --> 00:22:39,445
you know, more flexible approach.
533
533
00:22:39,445 --> 00:22:41,160
Okay, well that's fascinating,
534
534
00:22:41,160 --> 00:22:44,732
and hopefully, with time, you know,
535
535
00:22:44,732 --> 00:22:47,640
maybe these two things will meet in the middle.
536
536
00:22:47,640 --> 00:22:49,080
RMF will change a little bit,
537
537
00:22:49,080 --> 00:22:50,880
and the cultural will change a little bit,
538
538
00:22:50,880 --> 00:22:52,743
and we'll be able to get someplace.
539
539
00:22:53,670 --> 00:22:56,605
You know, one thing that I was curious about,
540
540
00:22:56,605 --> 00:22:59,553
this is a little off-the-cuff question here to you,
541
541
00:23:00,540 --> 00:23:01,830
but I've been thinking about the difference
542
542
00:23:01,830 --> 00:23:04,350
between RMF and the NIST cybersecurity framework,
543
543
00:23:04,350 --> 00:23:07,627
and, you know, some people have said to me,
544
544
00:23:07,627 --> 00:23:10,170
"Well, actually, they're kind of complimentary."
545
545
00:23:10,170 --> 00:23:11,280
And I think to myself,
546
546
00:23:11,280 --> 00:23:13,110
well, they're definitely different,
547
547
00:23:13,110 --> 00:23:16,290
and so I suppose they could be complimentary,
548
548
00:23:16,290 --> 00:23:18,780
whereas RMF is focused on the, you know,
549
549
00:23:18,780 --> 00:23:21,600
development life cycle and the cybersecurity framework is
550
550
00:23:21,600 --> 00:23:26,340
really more about an incident orientation.
551
551
00:23:26,340 --> 00:23:28,890
So, do you think that the NIST cybersecurity framework
552
552
00:23:28,890 --> 00:23:32,460
would be a good way to do step seven,
553
553
00:23:32,460 --> 00:23:36,510
that continuously monitor step in RMF,
554
554
00:23:36,510 --> 00:23:37,770
or, you know, how do you think
555
555
00:23:37,770 --> 00:23:40,200
about the way these two frameworks, kind of,
556
556
00:23:40,200 --> 00:23:41,940
fit up to each other?
557
557
00:23:41,940 --> 00:23:44,640
Yeah, I mean, they definitely have their place,
558
558
00:23:44,640 --> 00:23:47,040
They're both a little bit different from each other,
559
559
00:23:47,040 --> 00:23:48,420
but they do compliment each other.
560
560
00:23:48,420 --> 00:23:52,260
And I do think that I am actually seeing more entities
561
561
00:23:52,260 --> 00:23:55,123
in the DOD start looking at the CSF.
562
562
00:23:55,123 --> 00:23:57,330
So, the cybersecurity framework,
563
563
00:23:57,330 --> 00:23:58,950
and how to bring that
564
564
00:23:58,950 --> 00:24:02,520
into that continuous monitoring type phase.
565
565
00:24:02,520 --> 00:24:03,353
Okay.
566
566
00:24:03,353 --> 00:24:05,820
So, you do think that that that's a natural touch point
567
567
00:24:05,820 --> 00:24:07,650
for these two frameworks is
568
568
00:24:07,650 --> 00:24:09,720
that step seven continuous monitoring.
569
569
00:24:09,720 --> 00:24:11,534
Okay, thanks, I appreciate that.
570
570
00:24:11,534 --> 00:24:14,373
I was trying to figure that out for myself.
571
571
00:24:15,480 --> 00:24:17,643
All right, so, let's see.
572
572
00:24:18,540 --> 00:24:19,800
You know, when we were doing show prep,
573
573
00:24:19,800 --> 00:24:21,120
you had mentioned a few other things
574
574
00:24:21,120 --> 00:24:24,990
that I think our audience would really benefit
575
575
00:24:24,990 --> 00:24:26,940
from hearing about,
576
576
00:24:26,940 --> 00:24:31,940
which is some examples around, you know,
577
577
00:24:32,010 --> 00:24:34,893
some of the difficulties of legacy systems in RMF,
578
578
00:24:35,880 --> 00:24:38,940
and, you know, the fact that you've got systems
579
579
00:24:38,940 --> 00:24:41,957
that are no longer in a development state, right?
580
580
00:24:41,957 --> 00:24:43,590
Their development is finished,
581
581
00:24:43,590 --> 00:24:46,530
and maybe they'll never be enhanced again.
582
582
00:24:46,530 --> 00:24:51,300
And yet, you're still expected to use a SDLC-style approach
583
583
00:24:51,300 --> 00:24:55,530
to achieving approval to operate.
584
584
00:24:55,530 --> 00:24:56,760
What's that been like for you?
585
585
00:24:56,760 --> 00:24:58,910
How do you deal with a situation like that?
586
586
00:25:00,060 --> 00:25:03,090
It's been a struggle for everybody involved, right?
587
587
00:25:03,090 --> 00:25:06,600
So, we have systems in the DOD that are, I mean,
588
588
00:25:06,600 --> 00:25:10,106
designed and deployed in the sixties, the seventies,
589
589
00:25:10,106 --> 00:25:11,654
they're not even running on-
590
590
00:25:11,654 --> 00:25:13,904
Back when they were new. (laughing)
591
591
00:25:13,904 --> 00:25:15,491
Exactly. (laughing)
592
592
00:25:15,491 --> 00:25:18,090
So, a lot of them are still running on that platform.
593
593
00:25:18,090 --> 00:25:19,530
And so, when you take something
594
594
00:25:19,530 --> 00:25:22,920
that can only take a six-digit password,
595
595
00:25:22,920 --> 00:25:23,753
and you try to say,
596
596
00:25:23,753 --> 00:25:26,760
"Well, you have to put a 14-character password on it."
597
597
00:25:26,760 --> 00:25:29,520
How much development expense do you put
598
598
00:25:29,520 --> 00:25:31,920
in finding a developer, first of all,
599
599
00:25:31,920 --> 00:25:33,240
and then, I mean,
600
600
00:25:33,240 --> 00:25:36,000
are you actually improving the security of that system?
601
601
00:25:36,000 --> 00:25:39,417
Is it really a necessary requirement for that system?
602
602
00:25:39,417 --> 00:25:41,370
And a lot of that, as we're going through,
603
603
00:25:41,370 --> 00:25:43,980
and that's where I believe the training problem is coming
604
604
00:25:43,980 --> 00:25:47,197
into play, because those that are saying,
605
605
00:25:47,197 --> 00:25:49,860
"Okay, you have to come to my organization
606
606
00:25:49,860 --> 00:25:51,540
as a security controls assessor,
607
607
00:25:51,540 --> 00:25:53,310
and I'm doing your independent assessment,
608
608
00:25:53,310 --> 00:25:57,450
and you only have a six-character password, or even PIN,
609
609
00:25:57,450 --> 00:26:00,125
on your system, you fail."
610
610
00:26:00,125 --> 00:26:02,190
Well, do you really fail
611
611
00:26:02,190 --> 00:26:04,713
if the system isn't capable of doing that?
612
612
00:26:05,970 --> 00:26:09,510
And so, that is where we're really struggling in the DOD,
613
613
00:26:09,510 --> 00:26:11,040
is that kind of, that's what I said earlier,
614
614
00:26:11,040 --> 00:26:13,890
that middle tier, where I have to send my system
615
615
00:26:13,890 --> 00:26:16,530
to an assessor who has no idea at all.
616
616
00:26:16,530 --> 00:26:18,930
You know, they're right out of college, maybe,
617
617
00:26:18,930 --> 00:26:20,130
they're a new airman,
618
618
00:26:20,130 --> 00:26:21,390
this is a new position.
619
619
00:26:21,390 --> 00:26:22,530
And I'm trying to explain,
620
620
00:26:22,530 --> 00:26:24,360
and that's why it's very important that,
621
621
00:26:24,360 --> 00:26:26,550
in that documentation, you say, you know,
622
622
00:26:26,550 --> 00:26:29,760
you clearly state the system is, you know,
623
623
00:26:29,760 --> 00:26:33,000
legacy, it can't support 14-character password.
624
624
00:26:33,000 --> 00:26:34,710
And this is a very simple example
625
625
00:26:34,710 --> 00:26:37,068
that's very true, but-
626
626
00:26:37,068 --> 00:26:37,980
Oh, oh it is.
627
627
00:26:37,980 --> 00:26:40,440
And you know, Rebecca, as you talk about this,
628
628
00:26:40,440 --> 00:26:42,240
I'm reminded of some experiences I've had
629
629
00:26:42,240 --> 00:26:43,410
in the private sector,
630
630
00:26:43,410 --> 00:26:46,170
where I had a customer who was going
631
631
00:26:46,170 --> 00:26:47,820
through a payment card industry
632
632
00:26:47,820 --> 00:26:50,700
data security standard audit, right?
633
633
00:26:50,700 --> 00:26:54,420
Because they wanted to conform to the PCI DSS,
634
634
00:26:54,420 --> 00:26:56,250
and, similar things.
635
635
00:26:56,250 --> 00:26:57,570
This was a while ago, but you know,
636
636
00:26:57,570 --> 00:26:58,860
there would be a mainframe computer
637
637
00:26:58,860 --> 00:27:01,170
that was processing credit card transactions,
638
638
00:27:01,170 --> 00:27:03,210
and it was legacy, and you know,
639
639
00:27:03,210 --> 00:27:04,800
it just couldn't, you know,
640
640
00:27:04,800 --> 00:27:05,970
whether it was a password,
641
641
00:27:05,970 --> 00:27:07,110
or just some other things,
642
642
00:27:07,110 --> 00:27:09,750
it just could not perform
643
643
00:27:09,750 --> 00:27:12,207
to all of the requirements in PCI DSS.
644
644
00:27:12,207 --> 00:27:13,890
And so, we had to figure out
645
645
00:27:13,890 --> 00:27:16,020
how to create compensating controls
646
646
00:27:16,020 --> 00:27:16,980
and do other things
647
647
00:27:16,980 --> 00:27:19,290
in order to meet the intent of the requirement,
648
648
00:27:19,290 --> 00:27:22,620
knowing that the requirement itself was not going to be met
649
649
00:27:22,620 --> 00:27:26,187
in a very, you know, inside that system.
650
650
00:27:26,187 --> 00:27:29,394
And so, that sounds very similar to what you said.
651
651
00:27:29,394 --> 00:27:30,810
I mean, right?
652
652
00:27:30,810 --> 00:27:32,375
That's the same, isn't it?
653
653
00:27:32,375 --> 00:27:33,208
Absolutely, that's the same.
654
654
00:27:33,208 --> 00:27:35,079
Everyone's having the problem.
655
655
00:27:35,079 --> 00:27:36,360
Medical community is having it.
656
656
00:27:36,360 --> 00:27:39,540
Anybody that is trying to meet a compliance standard
657
657
00:27:39,540 --> 00:27:42,810
that is built on modern development processes
658
658
00:27:42,810 --> 00:27:45,240
and platforms are having the same issue.
659
659
00:27:45,240 --> 00:27:46,710
Right, okay.
660
660
00:27:46,710 --> 00:27:48,060
So, listen, for anybody out there
661
661
00:27:48,060 --> 00:27:51,720
who has experience working in PCI DSS, or HIPAA,
662
662
00:27:51,720 --> 00:27:53,250
or what have you, where you're trying
663
663
00:27:53,250 --> 00:27:54,083
to take a framework,
664
664
00:27:54,083 --> 00:27:57,720
and you're trying to get a legacy system
665
665
00:27:57,720 --> 00:27:59,640
to conform to it,
666
666
00:27:59,640 --> 00:28:01,020
well, if you come over to RMF,
667
667
00:28:01,020 --> 00:28:03,090
welcome to the party, because it sounds like (laughing)
668
668
00:28:03,090 --> 00:28:05,880
it's going to just be more of the same. (laughing)
669
669
00:28:05,880 --> 00:28:07,230
RMF does another thing too,
670
670
00:28:07,230 --> 00:28:09,270
which I thought was really interesting.
671
671
00:28:09,270 --> 00:28:10,103
You know, these days,
672
672
00:28:10,103 --> 00:28:12,450
we talk about advanced persistent threats,
673
673
00:28:12,450 --> 00:28:14,250
and we talk about zero trust,
674
674
00:28:14,250 --> 00:28:17,010
and those things really bring up this idea
675
675
00:28:17,010 --> 00:28:18,810
of assume breach, right?
676
676
00:28:18,810 --> 00:28:20,610
As a philosophy, right?
677
677
00:28:20,610 --> 00:28:22,980
Because, for so long, we've been in this mindset
678
678
00:28:22,980 --> 00:28:26,250
that we are assuming that a system is not breached,
679
679
00:28:26,250 --> 00:28:28,260
so we can build nice walls around it, right?
680
680
00:28:28,260 --> 00:28:29,880
And keep it pure,
681
681
00:28:29,880 --> 00:28:32,130
but we've realized that
682
682
00:28:32,130 --> 00:28:34,793
that's just not the way the world works anymore.
683
683
00:28:34,793 --> 00:28:36,907
But, during the show prep, you were saying,
684
684
00:28:36,907 --> 00:28:38,760
"Yeah, unfortunately, RMF,
685
685
00:28:38,760 --> 00:28:40,350
kind of, hasn't really caught up
686
686
00:28:40,350 --> 00:28:42,480
to the reality of assume breach."
687
687
00:28:42,480 --> 00:28:43,713
Did I get that right?
688
688
00:28:44,640 --> 00:28:45,750
Yes, yes.
689
689
00:28:45,750 --> 00:28:46,800
So, it doesn't-
690
690
00:28:46,800 --> 00:28:49,200
It's not looking at advanced persistent threat.
691
691
00:28:49,200 --> 00:28:50,910
So, that's why, in the DOD,
692
692
00:28:50,910 --> 00:28:52,860
and not to throw us off track at all,
693
693
00:28:52,860 --> 00:28:54,570
but we are really starting
694
694
00:28:54,570 --> 00:28:59,454
to look at resiliency and survivability in our systems.
695
695
00:28:59,454 --> 00:29:00,287
And, and that's-
696
696
00:29:00,287 --> 00:29:02,580
This cybersecurity framework is really designed
697
697
00:29:02,580 --> 00:29:06,480
around resilience, and I don't know
698
698
00:29:06,480 --> 00:29:09,960
that they ever used the term assume breach in there exactly,
699
699
00:29:09,960 --> 00:29:12,367
but they certainly do emphasize the fact that,
700
700
00:29:12,367 --> 00:29:14,670
you know, it's not all about prevention.
701
701
00:29:14,670 --> 00:29:17,430
That you have to detect, respond, and recover as well,
702
702
00:29:17,430 --> 00:29:19,620
and be prepared to do those things,
703
703
00:29:19,620 --> 00:29:21,180
and as fast as you can,
704
704
00:29:21,180 --> 00:29:22,740
because that really matters,
705
705
00:29:22,740 --> 00:29:26,160
in terms of being able to survive.
706
706
00:29:26,160 --> 00:29:28,980
Okay, so, (laughing) now we get to the part
707
707
00:29:28,980 --> 00:29:31,440
that we really were aiming at,
708
708
00:29:31,440 --> 00:29:33,090
which is eMASS, right?
709
709
00:29:33,090 --> 00:29:34,740
What is eMASS?
710
710
00:29:34,740 --> 00:29:35,820
Who should use it,
711
711
00:29:35,820 --> 00:29:37,800
and what are its limitations?
712
712
00:29:37,800 --> 00:29:39,750
What are the things that are really good about it?
713
713
00:29:39,750 --> 00:29:42,150
So, hi Rebecca, I'm new.
714
714
00:29:42,150 --> 00:29:43,173
What's eMASS?
715
715
00:29:44,490 --> 00:29:47,027
So, the first thing to understand about eMASS is
716
716
00:29:47,027 --> 00:29:50,040
it is, what we, a call a government off-the-shelf.
717
717
00:29:50,040 --> 00:29:52,380
So, you can't go and buy it
718
718
00:29:52,380 --> 00:29:53,550
from a commercial vendor.
719
719
00:29:53,550 --> 00:29:58,550
It is developed for the DOD by DOD contractors,
720
720
00:29:59,190 --> 00:30:03,123
available to DOD users on DOD systems.
721
721
00:30:03,960 --> 00:30:05,550
So if you were, you know,
722
722
00:30:05,550 --> 00:30:09,120
an integrator or a small business trying to use eMASS,
723
723
00:30:09,120 --> 00:30:12,780
or, you know, learn, teach yourself how to use it,
724
724
00:30:12,780 --> 00:30:13,613
you can't do that.
725
725
00:30:13,613 --> 00:30:16,293
It has to be from a DOD network.
726
726
00:30:17,640 --> 00:30:20,220
And so, really, what it does is it helps walk you
727
727
00:30:20,220 --> 00:30:22,380
through the seven steps.
728
728
00:30:22,380 --> 00:30:25,050
So, you start by registering your system,
729
729
00:30:25,050 --> 00:30:29,356
and it's very access-control oriented.
730
730
00:30:29,356 --> 00:30:34,356
Restrictions are pretty tight around permissions.
731
731
00:30:34,410 --> 00:30:35,243
So, like right now,
732
732
00:30:35,243 --> 00:30:38,880
one of my organizations I work with is very small.
733
733
00:30:38,880 --> 00:30:40,410
There are two of us.
734
734
00:30:40,410 --> 00:30:43,573
And so, we have to get multiple roles in eMASS
735
735
00:30:43,573 --> 00:30:45,570
to be able to do all the jobs,
736
736
00:30:45,570 --> 00:30:48,270
to work the system through the process.
737
737
00:30:48,270 --> 00:30:50,310
So, are you having to log out and log back in,
738
738
00:30:50,310 --> 00:30:52,230
depending on what step you're trying to accomplish?
739
739
00:30:52,230 --> 00:30:53,063
Is it that awkward?
740
740
00:30:53,063 --> 00:30:56,430
No, they're able to actually give you the permissions
741
741
00:30:56,430 --> 00:30:58,638
under one account, thankfully.
742
742
00:30:58,638 --> 00:31:00,993
Oh, good.
743
743
00:31:00,993 --> 00:31:02,610
But, it's very permission-based,
744
744
00:31:02,610 --> 00:31:04,140
which it obviously should be, right?
745
745
00:31:04,140 --> 00:31:08,137
We're trying to prevent me from being able to say,
746
746
00:31:08,137 --> 00:31:10,170
"Oh, I'm doing this, you know,
747
747
00:31:10,170 --> 00:31:12,120
for this control, and I do it really well,
748
748
00:31:12,120 --> 00:31:14,640
and oh, let me just go ahead and assess myself."
749
749
00:31:14,640 --> 00:31:16,980
You know, you've got to have a separation of duty there.
750
750
00:31:16,980 --> 00:31:18,150
Right, right.
751
751
00:31:18,150 --> 00:31:20,220
Yeah, listening to you talk about using eMASS
752
752
00:31:20,220 --> 00:31:21,960
when you were such a small organization,
753
753
00:31:21,960 --> 00:31:23,010
makes me think about,
754
754
00:31:24,030 --> 00:31:26,467
maybe like a two-person startup who says,
755
755
00:31:26,467 --> 00:31:29,457
"Let's use Salesforce for our CRM, you know, (laughing)
756
756
00:31:29,457 --> 00:31:31,441
and it's like, wait a minute.
757
757
00:31:31,441 --> 00:31:32,640
(Rebecca and Kip laughing)
758
758
00:31:32,640 --> 00:31:34,530
That's a highly scaled system,
759
759
00:31:34,530 --> 00:31:37,290
and probably not the best place for you to start.
760
760
00:31:37,290 --> 00:31:39,570
When I talk with mid-market companies
761
761
00:31:39,570 --> 00:31:42,540
about doing different things for the cybersecurity,
762
762
00:31:42,540 --> 00:31:43,657
sometimes they'll say to me,
763
763
00:31:43,657 --> 00:31:45,930
"Well, what if we get, you know, XYZ product,
764
764
00:31:45,930 --> 00:31:48,420
because that's very popular
765
765
00:31:48,420 --> 00:31:49,980
and all the big companies use it."
766
766
00:31:49,980 --> 00:31:53,730
And I say, "You know, I understand why you say that,
767
767
00:31:53,730 --> 00:31:57,660
but that's kind of like putting your 14-year-old son
768
768
00:31:57,660 --> 00:32:00,780
into his dad's suit and sending him off to, you know,
769
769
00:32:00,780 --> 00:32:02,190
the junior high dance.
770
770
00:32:02,190 --> 00:32:03,990
It's really not going to work.
771
771
00:32:03,990 --> 00:32:05,430
It's just, you know,
772
772
00:32:05,430 --> 00:32:08,190
that suit was never designed for such a small kid,
773
773
00:32:08,190 --> 00:32:11,940
and he's going to look silly, and worse yet,
774
774
00:32:11,940 --> 00:32:13,980
I mean, it can be so expensive
775
775
00:32:13,980 --> 00:32:16,080
to use something that's been sized
776
776
00:32:16,080 --> 00:32:18,840
beyond the scale that you're operating at."
777
777
00:32:18,840 --> 00:32:20,250
And so what I'm hearing is,
778
778
00:32:20,250 --> 00:32:21,540
is that if you're a small organization,
779
779
00:32:21,540 --> 00:32:23,670
eMASS can kind of feel like you're wearing,
780
780
00:32:23,670 --> 00:32:26,310
you know, too big of a dress. (laughing)
781
781
00:32:26,310 --> 00:32:29,190
Yeah. But on the other end, if you are-
782
782
00:32:29,190 --> 00:32:31,830
So, we work a lot with system of systems.
783
783
00:32:31,830 --> 00:32:33,690
I don't know if you've ever talked about that
784
784
00:32:33,690 --> 00:32:34,920
in any of your podcasts.
785
785
00:32:34,920 --> 00:32:36,060
I haven't, we haven't.
786
786
00:32:36,060 --> 00:32:38,190
Tell us what that is, please.
787
787
00:32:38,190 --> 00:32:39,023
So, a system of systems is,
788
788
00:32:39,023 --> 00:32:40,200
if you think about,
789
789
00:32:40,200 --> 00:32:43,110
think about like Navy Ships, a good example, right?
790
790
00:32:43,110 --> 00:32:46,110
It is a system, the ship is a system in its own,
791
791
00:32:46,110 --> 00:32:49,830
but there are thousands of systems on that ship
792
792
00:32:49,830 --> 00:32:51,810
that have to work together.
793
793
00:32:51,810 --> 00:32:53,040
Some of them are standalone,
794
794
00:32:53,040 --> 00:32:54,390
some are working together,
795
795
00:32:54,390 --> 00:32:57,000
some are communicating back home.
796
796
00:32:57,000 --> 00:32:59,340
But that is what we call a system of systems.
797
797
00:32:59,340 --> 00:33:00,720
These all have to work together.
798
798
00:33:00,720 --> 00:33:03,360
So, eMASS doesn't do a great job
799
799
00:33:03,360 --> 00:33:06,630
of looking at risk across that entire enterprise,
800
800
00:33:06,630 --> 00:33:08,490
a system of systems, either.
801
801
00:33:08,490 --> 00:33:12,540
So, it's really right in that mid-level development size
802
802
00:33:12,540 --> 00:33:15,120
of system that works really well in.
803
803
00:33:15,120 --> 00:33:16,530
Interesting, okay, yeah.
804
804
00:33:16,530 --> 00:33:19,627
So, in my brain, I think of like subsystems, right?
805
805
00:33:19,627 --> 00:33:22,380
You know, 'cause you can't really operate a ship
806
806
00:33:22,380 --> 00:33:23,880
without all these subsystems
807
807
00:33:23,880 --> 00:33:25,770
and, kind of, how they integrate with each other.
808
808
00:33:25,770 --> 00:33:27,180
You know, if Jason Dion was here,
809
809
00:33:27,180 --> 00:33:28,440
he'd be all over this,
810
810
00:33:28,440 --> 00:33:31,650
because, as a person who was just retired from the Navy,
811
811
00:33:31,650 --> 00:33:34,740
he could probably tell us all kinds of really cool stories
812
812
00:33:34,740 --> 00:33:37,050
about, you know, how subsystems on ships
813
813
00:33:37,050 --> 00:33:40,710
don't work the way they're supposed to, or what have you.
814
814
00:33:40,710 --> 00:33:41,910
But, let's get back to eMASS.
815
815
00:33:41,910 --> 00:33:43,740
So, okay, so what I'm hearing is
816
816
00:33:43,740 --> 00:33:47,070
eMASS is not something you can buy without a prescription.
817
817
00:33:47,070 --> 00:33:50,910
And I'm hearing that eMASS is like kind of complicated,
818
818
00:33:50,910 --> 00:33:55,140
and a little difficult to kind of get your arms around,
819
819
00:33:55,140 --> 00:33:57,840
and that the only way you're going to get into eMASS is
820
820
00:33:57,840 --> 00:34:02,760
if you apply to somebody in the government, right?
821
821
00:34:02,760 --> 00:34:04,230
To issue you an account.
822
822
00:34:04,230 --> 00:34:05,730
And they probably won't do that
823
823
00:34:05,730 --> 00:34:07,800
unless you've got some kind of contract you're working on.
824
824
00:34:07,800 --> 00:34:09,420
Is that about right?
825
825
00:34:09,420 --> 00:34:12,319
Yes, and typically you have to have a DOD CAC.
826
826
00:34:12,319 --> 00:34:13,830
So, it is CAC.
827
827
00:34:13,830 --> 00:34:14,663
Okay.
828
828
00:34:14,663 --> 00:34:18,018
And that's a common access, how do-
829
829
00:34:18,018 --> 00:34:19,410
Card.
830
830
00:34:19,410 --> 00:34:20,720
Okay, common access card, right.
831
831
00:34:20,720 --> 00:34:23,730
So that's like a smart card, is it not?
832
832
00:34:23,730 --> 00:34:24,720
It is.
833
833
00:34:24,720 --> 00:34:25,553
When I-
834
834
00:34:25,553 --> 00:34:27,990
They didn't have these things when I was on active duty,
835
835
00:34:27,990 --> 00:34:28,950
so I've heard about them,
836
836
00:34:28,950 --> 00:34:30,510
but I've never actually had one.
837
837
00:34:30,510 --> 00:34:33,270
And is eMASS web-based or is it like a piece
838
838
00:34:33,270 --> 00:34:36,180
of software you install on your local computer?
839
839
00:34:36,180 --> 00:34:37,600
It is a web-based app, yep.
840
840
00:34:37,600 --> 00:34:39,630
Okay, okay, got that.
841
841
00:34:39,630 --> 00:34:41,520
Okay, cool.
842
842
00:34:41,520 --> 00:34:43,890
And now, what else about using eMASS?
843
843
00:34:43,890 --> 00:34:46,980
I mean, are there any, in your experience,
844
844
00:34:46,980 --> 00:34:49,980
any particular gotchas, or tips, or tricks?
845
845
00:34:49,980 --> 00:34:52,530
I mean, like again, hi Rebecca, I new,
846
846
00:34:52,530 --> 00:34:54,480
I'm using eMASS for the first time.
847
847
00:34:54,480 --> 00:34:55,313
What should I know?
848
848
00:34:55,313 --> 00:34:58,643
What else would you tell me so I can be successful?
849
849
00:34:58,643 --> 00:35:01,830
So, it's going to depend on when you come in
850
850
00:35:01,830 --> 00:35:03,840
and the life cycle of your system.
851
851
00:35:03,840 --> 00:35:05,880
So, if you come in new to an organization,
852
852
00:35:05,880 --> 00:35:09,690
and all of their systems are already built in eMASS,
853
853
00:35:09,690 --> 00:35:13,080
you're just, let's say you already have an ATO,
854
854
00:35:13,080 --> 00:35:15,840
you'll be working on continuous monitoring.
855
855
00:35:15,840 --> 00:35:17,250
So, there are requirements
856
856
00:35:17,250 --> 00:35:18,930
to review the security controls
857
857
00:35:18,930 --> 00:35:21,000
at a scripted time.
858
858
00:35:21,000 --> 00:35:22,830
So, let's say, every three years you're required
859
859
00:35:22,830 --> 00:35:24,450
to review your security policies.
860
860
00:35:24,450 --> 00:35:25,680
Every year, you're required
861
861
00:35:25,680 --> 00:35:29,427
to review your access control rosters.
862
862
00:35:29,427 --> 00:35:31,800
So, in eMASS, we actually go in there
863
863
00:35:31,800 --> 00:35:34,980
and validate that we review those.
864
864
00:35:34,980 --> 00:35:37,590
But, if you're building a new system in eMASS,
865
865
00:35:37,590 --> 00:35:40,200
you have to request the access,
866
866
00:35:40,200 --> 00:35:41,700
you've got to have somebody
867
867
00:35:41,700 --> 00:35:44,370
build the initial system for you.
868
868
00:35:44,370 --> 00:35:46,620
So, let's say, you know, you have your system is,
869
869
00:35:46,620 --> 00:35:48,480
you know, whatever you want to call it, you know,
870
870
00:35:48,480 --> 00:35:50,253
New DOD System 2.
871
871
00:35:51,300 --> 00:35:55,080
And then, you sit down and you categorize the system
872
872
00:35:55,080 --> 00:35:56,220
and tailor it in there,
873
873
00:35:56,220 --> 00:35:58,500
and then that gets approved.
874
874
00:35:58,500 --> 00:35:59,520
And so, once your,
875
875
00:35:59,520 --> 00:36:01,500
we call it your security controls baseline,
876
876
00:36:01,500 --> 00:36:04,080
tailored, once that's been approved,
877
877
00:36:04,080 --> 00:36:04,913
then you actually-
878
878
00:36:04,913 --> 00:36:08,220
Then the work starts, the implementation, right?
879
879
00:36:08,220 --> 00:36:10,380
So you've got to write security policies,
880
880
00:36:10,380 --> 00:36:12,750
you've got to add SOPs and TTPs,
881
881
00:36:12,750 --> 00:36:15,210
you've got to, what we refer to as,
882
882
00:36:15,210 --> 00:36:18,447
harden the system, or utilize the STIGs,
883
883
00:36:18,447 --> 00:36:21,870
the security technical implementation guides.
884
884
00:36:21,870 --> 00:36:24,810
So, you got to have a software and hardware baseline,
885
885
00:36:24,810 --> 00:36:27,390
and you put that into eMASS, actually.
886
886
00:36:27,390 --> 00:36:29,309
You will actually put in there,
887
887
00:36:29,309 --> 00:36:32,562
you know, I'm using, you know, this Dell version,
888
888
00:36:32,562 --> 00:36:36,030
this model, this is the OS that's running on it,
889
889
00:36:36,030 --> 00:36:38,820
this is the path level the OS is on.
890
890
00:36:38,820 --> 00:36:40,892
You put all of that information in there,
891
891
00:36:40,892 --> 00:36:43,020
and you start to build your hardware and software list.
892
892
00:36:43,020 --> 00:36:46,717
You'll build what they call the authorization boundary.
893
893
00:36:46,717 --> 00:36:47,550
Okay.
894
894
00:36:47,550 --> 00:36:49,500
So, you have to actually say,
895
895
00:36:49,500 --> 00:36:53,190
here's all the components, hardware, software, firmware.
896
896
00:36:53,190 --> 00:36:54,330
Here's how they're connecting.
897
897
00:36:54,330 --> 00:36:55,983
Here's all my ports I'm using.
898
898
00:36:56,880 --> 00:36:58,440
Here's all the protocols we're using.
899
899
00:36:58,440 --> 00:36:59,700
Wow.
900
900
00:36:59,700 --> 00:37:01,350
So, all of this data
901
901
00:37:01,350 --> 00:37:04,740
that supports the system security plan
902
902
00:37:04,740 --> 00:37:06,630
goes into eMASS, and you're essentially
903
903
00:37:06,630 --> 00:37:09,060
building your system security plan in eMASS.
904
904
00:37:09,060 --> 00:37:10,440
And this also sounds like
905
905
00:37:10,440 --> 00:37:12,900
a really heavy-duty configuration control
906
906
00:37:12,900 --> 00:37:14,160
sort of an approach too, right?
907
907
00:37:14,160 --> 00:37:16,500
Because I'm hearing you say, like you're putting, you know,
908
908
00:37:16,500 --> 00:37:18,960
all these component items in there,
909
909
00:37:18,960 --> 00:37:21,030
down to the patch level,
910
910
00:37:21,030 --> 00:37:22,470
and getting this all in,
911
911
00:37:22,470 --> 00:37:24,690
and I can see why that would be an advantage,
912
912
00:37:24,690 --> 00:37:27,090
but I'm also just sort of fatigued
913
913
00:37:27,090 --> 00:37:28,710
just thinking about, you know, (laughing)
914
914
00:37:28,710 --> 00:37:30,510
all of all of the information
915
915
00:37:30,510 --> 00:37:33,390
that I'm going to have to, you know, pound into eMASS.
916
916
00:37:33,390 --> 00:37:34,860
So, fascinating.
917
917
00:37:34,860 --> 00:37:36,780
Well then, that actually brings up a question
918
918
00:37:36,780 --> 00:37:37,860
that I wanted to ask you
919
919
00:37:37,860 --> 00:37:39,360
as we get to the end of our episode today,
920
920
00:37:39,360 --> 00:37:41,550
which is, is there any risks
921
921
00:37:41,550 --> 00:37:44,043
to using eMASS to manage risks?
922
922
00:37:45,930 --> 00:37:49,540
The number one concern right now, okay,
923
923
00:37:49,540 --> 00:37:52,860
now, I'm putting all of my systems,
924
924
00:37:52,860 --> 00:37:54,870
all of the software,
925
925
00:37:54,870 --> 00:37:57,780
the versions, IP addresses,
926
926
00:37:57,780 --> 00:38:01,470
boundary diagrams, ports, protocols, services,
927
927
00:38:01,470 --> 00:38:03,420
how I'm a authenticating my users,
928
928
00:38:03,420 --> 00:38:04,710
my encryption type.
929
929
00:38:04,710 --> 00:38:07,200
Uploading every single design and system security
930
930
00:38:07,200 --> 00:38:12,200
engineering aspect into one web-based application,
931
931
00:38:12,466 --> 00:38:15,780
which in itself has some vulnerabilities, right?
932
932
00:38:15,780 --> 00:38:16,893
That it's web-based.
933
933
00:38:18,030 --> 00:38:21,120
Now, you want me to put all of that together,
934
934
00:38:21,120 --> 00:38:23,313
along with everyone else's stuff,
935
935
00:38:24,180 --> 00:38:27,810
and really, you have built a treasure chest
936
936
00:38:27,810 --> 00:38:29,980
for the adversary to get you.
937
937
00:38:29,980 --> 00:38:34,890
It is a crown jewel with that piece of software on the web.
938
938
00:38:34,890 --> 00:38:36,390
Right, huh, I wonder
939
939
00:38:36,390 --> 00:38:40,620
if anybody used eMASS to assess eMASS? (laughing)
940
940
00:38:40,620 --> 00:38:42,597
I do know it has an ATO. (laughing)
941
941
00:38:42,597 --> 00:38:45,409
Oh, well that's good. (laughing)
942
942
00:38:45,409 --> 00:38:48,000
Okay, so that's eMASS.
943
943
00:38:48,000 --> 00:38:49,410
Just a quick question,
944
944
00:38:49,410 --> 00:38:53,400
are there other ways that you can automate RMF,
945
945
00:38:53,400 --> 00:38:55,080
or just make it easier for yourself,
946
946
00:38:55,080 --> 00:38:56,253
other than eMASS?
947
947
00:38:57,191 --> 00:38:59,940
So, Exacto is one of the tools
948
948
00:38:59,940 --> 00:39:02,470
that you'll see being used across the DOD.
949
949
00:39:03,495 --> 00:39:05,790
The federal side has their own tools.
950
950
00:39:05,790 --> 00:39:09,460
So, they have CCM, could not tell you what it stands for.
951
951
00:39:09,460 --> 00:39:10,830
Okay.
952
952
00:39:10,830 --> 00:39:13,050
So, and then some organizations develop
953
953
00:39:13,050 --> 00:39:15,930
their own internal systems,
954
954
00:39:15,930 --> 00:39:20,133
where they'll use things like SharePoint.
955
955
00:39:21,360 --> 00:39:24,780
I've seen, you know, custom-build workflow processes.
956
956
00:39:24,780 --> 00:39:26,760
I've seen CRM be leveraged
957
957
00:39:26,760 --> 00:39:29,580
to build a workload process for this.
958
958
00:39:29,580 --> 00:39:31,950
Okay, so eMASS is really optional then,
959
959
00:39:31,950 --> 00:39:33,900
is what I'm hearing,
960
960
00:39:33,900 --> 00:39:35,310
that there's other, you know,
961
961
00:39:35,310 --> 00:39:38,250
that RMF doesn't require you to use eMASS,
962
962
00:39:38,250 --> 00:39:39,360
and that you can sort of bring
963
963
00:39:39,360 --> 00:39:42,150
whatever automation you'd like to the party.
964
964
00:39:42,150 --> 00:39:43,740
Is that right?
965
965
00:39:43,740 --> 00:39:46,042
Well, that was correct.
966
966
00:39:46,042 --> 00:39:48,360
Now it's starting,
Oh-oh. (laughing)
967
967
00:39:48,360 --> 00:39:52,140
Now, more services are starting to require it.
968
968
00:39:52,140 --> 00:39:55,203
So, across the Air Force, Army, Navy, Marine Corps.
969
969
00:39:56,100 --> 00:39:57,300
like I mentioned, you know,
970
970
00:39:57,300 --> 00:40:01,530
RMF is an interpretable process,
971
971
00:40:01,530 --> 00:40:06,300
so every community has kind of decided
972
972
00:40:06,300 --> 00:40:08,610
what tools and which processes they're going to use.
973
973
00:40:08,610 --> 00:40:11,539
eMASS is just DOD-funded tool,
974
974
00:40:11,539 --> 00:40:15,480
and I do have a couple organizations I work with now,
975
975
00:40:15,480 --> 00:40:16,890
who don't use eMASS,
976
976
00:40:16,890 --> 00:40:19,499
but they have been mandated to move to it,
977
977
00:40:19,499 --> 00:40:20,760
and they are on a large initiative
978
978
00:40:20,760 --> 00:40:22,680
to move everything over to eMASS,
979
979
00:40:22,680 --> 00:40:24,690
and they're very nervous about.
980
980
00:40:24,690 --> 00:40:25,770
Oh, okay, okay.
981
981
00:40:25,770 --> 00:40:27,330
And probably in a couple of years,
982
982
00:40:27,330 --> 00:40:29,790
we'll be talking about, you know,
983
983
00:40:29,790 --> 00:40:33,060
how everyone's using eMASS now, and you know,
984
984
00:40:33,060 --> 00:40:34,200
different sets of problems.
985
985
00:40:34,200 --> 00:40:35,033
So this really-
986
986
00:40:35,033 --> 00:40:36,420
The whole thing just really strikes me
987
987
00:40:36,420 --> 00:40:38,170
as a bit of a moving target, right?
988
988
00:40:39,120 --> 00:40:42,300
It's been moving for 20 years, so. (laughing)
989
989
00:40:42,300 --> 00:40:44,400
Well, welcome to cybersecurity. (laughing)
990
990
00:40:44,400 --> 00:40:45,233
'Cause that's just sort of
991
991
00:40:45,233 --> 00:40:46,830
the nature of the beast, isn't it?
992
992
00:40:46,830 --> 00:40:49,620
Everything is always moving.
993
993
00:40:49,620 --> 00:40:50,940
Well, we're running out of time.
994
994
00:40:50,940 --> 00:40:52,860
Rebecca, this has been a fantastic conversation,
995
995
00:40:52,860 --> 00:40:54,750
and I'm, again, really thankful
996
996
00:40:54,750 --> 00:40:57,180
that you've decided to spend
997
997
00:40:57,180 --> 00:40:59,977
some of your valuable time talking with me today,
998
998
00:40:59,977 --> 00:41:01,740
recording this episode,
999
999
00:41:01,740 --> 00:41:05,520
so that people can benefit from your experience.
1000
1000
00:41:05,520 --> 00:41:07,530
Is there anything else you want to share?
1001
1001
00:41:07,530 --> 00:41:11,013
Just like a final word before we wrap up?
1002
1002
00:41:12,480 --> 00:41:15,690
My biggest thing, when it comes to cybersecurity,
1003
1003
00:41:15,690 --> 00:41:19,656
RMF in the DOD, is really, you know,
1004
1004
00:41:19,656 --> 00:41:22,350
do good system security engineering.
1005
1005
00:41:22,350 --> 00:41:23,700
Think through problems,
1006
1006
00:41:23,700 --> 00:41:25,440
do risk assessments,
1007
1007
00:41:25,440 --> 00:41:27,810
document the outcomes, and be honest,
1008
1008
00:41:27,810 --> 00:41:31,290
so our leadership can make the best decisions
1009
1009
00:41:31,290 --> 00:41:32,937
for their community,
1010
1010
00:41:32,937 --> 00:41:36,630
and we've really got to start looking,
1011
1011
00:41:36,630 --> 00:41:38,670
one, at training people better,
1012
1012
00:41:38,670 --> 00:41:41,940
and two, making your mission-focused decisions
1013
1013
00:41:41,940 --> 00:41:44,310
when it comes to cybersecurity
1014
1014
00:41:44,310 --> 00:41:46,380
and risk management in the DOD.
1015
1015
00:41:46,380 --> 00:41:47,700
So, putting the mission first,
1016
1016
00:41:47,700 --> 00:41:49,590
and putting RMF and all these other things
1017
1017
00:41:49,590 --> 00:41:51,810
in a supporting role,
1018
1018
00:41:51,810 --> 00:41:54,870
not making them the point of the work that we do.
1019
1019
00:41:54,870 --> 00:41:56,550
I absolutely agree with that.
1020
1020
00:41:56,550 --> 00:41:59,502
Rebecca, if anybody wanted to contact you,
1021
1021
00:41:59,502 --> 00:42:01,350
after they listen to this episode,
1022
1022
00:42:01,350 --> 00:42:02,183
would that be okay?
1023
1023
00:42:02,183 --> 00:42:04,440
And how would you like them to do that?
1024
1024
00:42:04,440 --> 00:42:06,420
Absolutely, and you can email me,
1025
1025
00:42:06,420 --> 00:42:11,250
it's Becca, Becca@ICyberI.com,
1026
1026
00:42:11,250 --> 00:42:12,993
International Cyber Institute.
1027
1027
00:42:13,890 --> 00:42:14,790
That's probably the best way
1028
1028
00:42:14,790 --> 00:42:16,682
to get ahold of me, is by email.
1029
1029
00:42:16,682 --> 00:42:18,150
Okay, and that's the name of your organization
1030
1030
00:42:18,150 --> 00:42:19,470
that you started, right?
1031
1031
00:42:19,470 --> 00:42:20,517
That's correct, yes.
1032
1032
00:42:20,517 --> 00:42:22,170
Ah, I just think that's fantastic.
1033
1033
00:42:22,170 --> 00:42:24,060
I love, as a small business owner,
1034
1034
00:42:24,060 --> 00:42:25,590
I love meeting and talking
1035
1035
00:42:25,590 --> 00:42:26,820
to other small business owners.
1036
1036
00:42:26,820 --> 00:42:29,130
So, thank you so much Rebecca.
1037
1037
00:42:29,130 --> 00:42:30,630
You know, everybody,
1038
1038
00:42:30,630 --> 00:42:33,120
as with every episode that we create,
1039
1039
00:42:33,120 --> 00:42:35,190
you can access a full transcript
1040
1040
00:42:35,190 --> 00:42:37,380
of everything we talked about right on our website.
1041
1041
00:42:37,380 --> 00:42:41,760
All you have to do is put www.yourcyberpath.com,
1042
1042
00:42:41,760 --> 00:42:43,860
forward slash, and then just put the episode number.
1043
1043
00:42:43,860 --> 00:42:45,235
This is episode 83.
1044
1044
00:42:45,235 --> 00:42:47,190
Just put 83 in your favorite web browser,
1045
1045
00:42:47,190 --> 00:42:48,300
and then, you'll be able
1046
1046
00:42:48,300 --> 00:42:51,900
to actually pull up the page dedicated to this episode
1047
1047
00:42:51,900 --> 00:42:53,400
and access all the show notes
1048
1048
00:42:53,400 --> 00:42:55,830
and all of the transcript.
1049
1049
00:42:55,830 --> 00:42:57,330
It's a complete transcript.
1050
1050
00:42:57,330 --> 00:42:59,610
You can also sign up for my mentor notes.
1051
1051
00:42:59,610 --> 00:43:01,170
Now, if you don't know what mentor notes are,
1052
1052
00:43:01,170 --> 00:43:03,645
every two weeks, I send out an email.
1053
1053
00:43:03,645 --> 00:43:06,570
About 500 words, and I just tell you
1054
1054
00:43:06,570 --> 00:43:08,160
something that's going on,
1055
1055
00:43:08,160 --> 00:43:10,290
for those of you trying to get into cybersecurity.
1056
1056
00:43:10,290 --> 00:43:12,570
Something that's going on that I think will help you.
1057
1057
00:43:12,570 --> 00:43:15,840
And so, I focus on being very short,
1058
1058
00:43:15,840 --> 00:43:17,340
to-the-point, and practical.
1059
1059
00:43:17,340 --> 00:43:18,240
Listen, give it a try.
1060
1060
00:43:18,240 --> 00:43:19,650
You can unsubscribe any time.
1061
1061
00:43:19,650 --> 00:43:21,090
There's no trouble with that.
1062
1062
00:43:21,090 --> 00:43:22,860
If you go to yourcyberpath.com,
1063
1063
00:43:22,860 --> 00:43:24,593
you'll find the sign up there.
1064
1064
00:43:24,593 --> 00:43:26,670
Like I said, give it a try.
1065
1065
00:43:26,670 --> 00:43:28,530
But in any event, we're happy you were here.
1066
1066
00:43:28,530 --> 00:43:29,880
Thanks for listening.
1067
1067
00:43:29,880 --> 00:43:32,423
We're going to see you next time on Your Cyber Path.