1
1

00:00:15,000  -->  00:00:16,320
<v ->Welcome to Your Cyber Path.</v>
2

2

00:00:16,320  -->  00:00:17,520
I'm Kip Boyle,
3

3

00:00:17,520  -->  00:00:19,740
and we've got a guest who actually works
4

4

00:00:19,740  -->  00:00:22,350
with the risk management framework a lot
5

5

00:00:22,350  -->  00:00:25,230
and has some insider knowledge
6

6

00:00:25,230  -->  00:00:27,240
on a particular tool
7

7

00:00:27,240  -->  00:00:29,790
that sort of advertises itself
8

8

00:00:29,790  -->  00:00:34,440
as a way of automating the risk management framework.
9

9

00:00:34,440  -->  00:00:37,320
Her name is Rebecca Onuskanich,
10

10

00:00:37,320  -->  00:00:39,900
and I hope to heck I said that right. (laughing)
11

11

00:00:39,900  -->  00:00:41,100
Good, Rebecca
12

12

00:00:41,100  -->  00:00:42,150
So, welcome.
13

13

00:00:42,150  -->  00:00:43,380
We're so glad you're here.
14

14

00:00:43,380  -->  00:00:45,480
Would you please tell the audience a little bit
15

15

00:00:45,480  -->  00:00:47,480
about yourself and the work that you do?
16

16

00:00:48,450  -->  00:00:49,440
<v ->Yeah. Hey, thanks Kip.</v>
17

17

00:00:49,440  -->  00:00:51,060
Thanks for having me.
18

18

00:00:51,060  -->  00:00:51,893
So, as you mentioned,
19

19

00:00:51,893  -->  00:00:54,870
I do work with the risk management framework.
20

20

00:00:54,870  -->  00:00:56,490
Particularly, at this point in time,
21

21

00:00:56,490  -->  00:00:59,700
I'm working specifically in the Department of Defense,
22

22

00:00:59,700  -->  00:01:03,600
so most of my work is the Department of Defense's
23

23

00:01:03,600  -->  00:01:06,690
interpretation of the RMF process.
24

24

00:01:06,690  -->  00:01:08,730
I have worked in the federal agencies
25

25

00:01:08,730  -->  00:01:11,460
for quite a bit of years,
26

26

00:01:11,460  -->  00:01:13,470
but now, I'm back in the DOD.
27

27

00:01:13,470  -->  00:01:17,160
I started working in this space
28

28

00:01:17,160  -->  00:01:20,430
long before it was ever called the RMF process.
29

29

00:01:20,430  -->  00:01:24,990
So, I've been in DOD security compliance
30

30

00:01:24,990  -->  00:01:27,420
and information assurance for well over 20 years.
31

31

00:01:27,420  -->  00:01:29,280
So, I've seen it transition
32

32

00:01:29,280  -->  00:01:31,350
from very much keeping work process
33

33

00:01:31,350  -->  00:01:32,700
to where we're getting to this point
34

34

00:01:32,700  -->  00:01:36,930
of trying to automate the security configuration
35

35

00:01:36,930  -->  00:01:38,583
and compliance requirements.
36

36

00:01:39,485  -->  00:01:41,520
<v ->Again, I'm really happy you're here,</v>
37

37

00:01:41,520  -->  00:01:44,760
because you're bringing a real depth of expertise
38

38

00:01:44,760  -->  00:01:48,360
to this topic for the benefit of our audience.
39

39

00:01:48,360  -->  00:01:53,360
And yeah, I recall my first experiences working
40

40

00:01:53,786  -->  00:01:55,230
kind of in this space,
41

41

00:01:55,230  -->  00:01:57,480
when I was on active duty in the Air Force,
42

42

00:01:57,480  -->  00:02:00,660
and let's just say it was primitive, (laughing)
43

43

00:02:00,660  -->  00:02:02,190
compared to what we're, you know,
44

44

00:02:02,190  -->  00:02:04,320
attempting to do now.
45

45

00:02:04,320  -->  00:02:06,120
Well, listen, everybody, as a reminder,
46

46

00:02:06,120  -->  00:02:09,960
RMF provides a process that integrates security, privacy,
47

47

00:02:09,960  -->  00:02:12,960
and cyber supply chain risk management activities
48

48

00:02:12,960  -->  00:02:15,510
all into a systems development life cycle.
49

49

00:02:15,510  -->  00:02:17,940
And there's seven steps in the process.
50

50

00:02:17,940  -->  00:02:21,420
So, I'll recap them now, and Rebecca,
51

51

00:02:21,420  -->  00:02:23,010
you can chime in and, you know,
52

52

00:02:23,010  -->  00:02:24,630
tell me if I get any of this wrong,
53

53

00:02:24,630  -->  00:02:25,860
'cause I know you have more experience
54

54

00:02:25,860  -->  00:02:27,060
with it than I do,
55

55

00:02:27,060  -->  00:02:30,660
but the first step is you have to prepare your organization
56

56

00:02:30,660  -->  00:02:33,120
to manage security and privacy risk.
57

57

00:02:33,120  -->  00:02:35,820
The second step is you have to categorize your system
58

58

00:02:35,820  -->  00:02:37,590
and the information that it processes,
59

59

00:02:37,590  -->  00:02:39,630
stores, and transmits.
60

60

00:02:39,630  -->  00:02:41,250
The third step is you got to get
61

61

00:02:41,250  -->  00:02:44,820
into NIST special publication 800-53,
62

62

00:02:44,820  -->  00:02:46,530
which is a catalog of controls,
63

63

00:02:46,530  -->  00:02:48,510
and you have to select the ones
64

64

00:02:48,510  -->  00:02:51,300
that are going to help you reduce risk.
65

65

00:02:51,300  -->  00:02:53,730
Step number four is you implement the controls,
66

66

00:02:53,730  -->  00:02:55,740
and you document how they're deployed.
67

67

00:02:55,740  -->  00:02:58,560
Step number five is you assess to determine
68

68

00:02:58,560  -->  00:03:00,000
if the controls are in place,
69

69

00:03:00,000  -->  00:03:01,980
that they're operating as they're supposed to,
70

70

00:03:01,980  -->  00:03:05,220
and that you're getting the correct results from them.
71

71

00:03:05,220  -->  00:03:09,360
Step number six is a senior official then is asked
72

72

00:03:09,360  -->  00:03:11,280
to make a risk-based decision
73

73

00:03:11,280  -->  00:03:13,410
to authorize the system to operate,
74

74

00:03:13,410  -->  00:03:15,540
you know, to become a production system.
75

75

00:03:15,540  -->  00:03:16,770
And then the seventh step is
76

76

00:03:16,770  -->  00:03:21,510
to continuously monitor the implementation of your controls
77

77

00:03:21,510  -->  00:03:23,460
and to make sure that the risks
78

78

00:03:23,460  -->  00:03:26,490
to your systems stay reasonable.
79

79

00:03:26,490  -->  00:03:27,759
What do you think Rebecca,
80

80

00:03:27,759  -->  00:03:30,420
was that an okay summary?
81

81

00:03:30,420  -->  00:03:31,740
<v ->That was perfect, yes.</v>
82

82

00:03:31,740  -->  00:03:32,910
<v ->Okay, great.</v>
83

83

00:03:32,910  -->  00:03:34,680
All right, so now, what I want to do is
84

84

00:03:34,680  -->  00:03:38,250
I want to really talk about using a particular tool
85

85

00:03:38,250  -->  00:03:41,040
to automate some of this work,
86

86

00:03:41,040  -->  00:03:43,050
'cause there's a lot to do here.
87

87

00:03:43,050  -->  00:03:45,630
And when we were doing pre-show prep,
88

88

00:03:45,630  -->  00:03:47,827
Rebecca was saying to me,
89

89

00:03:47,827  -->  00:03:51,360
"You know, Kip, this tool, called eMASS,
90

90

00:03:51,360  -->  00:03:53,310
it probably doesn't automate
91

91

00:03:53,310  -->  00:03:55,080
as much as people might think,"
92

92

00:03:55,080  -->  00:03:56,640
which was kind of surprising to me.
93

93

00:03:56,640  -->  00:03:58,470
I haven't used eMASS,
94

94

00:03:58,470  -->  00:04:01,230
but Rebecca, I was hoping you could kind of unpack
95

95

00:04:01,230  -->  00:04:02,850
that a little bit and tell people, you know,
96

96

00:04:02,850  -->  00:04:03,850
what does that mean?
97

97

00:04:05,220  -->  00:04:10,020
<v ->Yeah, so eMASS does definitely support the framework</v>
98

98

00:04:10,020  -->  00:04:13,797
in walking through the actual RMF process.
99

99

00:04:13,797  -->  00:04:16,320
And you can do things like,
100

100

00:04:16,320  -->  00:04:18,423
when you put your system into eMASS,
101

101

00:04:19,500  -->  00:04:21,600
once you have a hardware list and a software list,
102

102

00:04:21,600  -->  00:04:24,510
and you do your Nessus vulnerability scanners,
103

103

00:04:24,510  -->  00:04:27,690
you do your security technical implementation guide
104

104

00:04:27,690  -->  00:04:29,070
or your STIG checklist,
105

105

00:04:29,070  -->  00:04:31,590
you can import that data into eMASS,
106

106

00:04:31,590  -->  00:04:34,200
and then it will correlate those findings.
107

107

00:04:34,200  -->  00:04:36,780
So, let's say that you run an ACAS scan,
108

108

00:04:36,780  -->  00:04:40,440
and there is a vulnerability associated with the software
109

109

00:04:40,440  -->  00:04:42,480
or a piece of hardware,
110

110

00:04:42,480  -->  00:04:45,450
it will associate that security control
111

111

00:04:45,450  -->  00:04:50,250
with that piece of software as a non-compliant item.
112

112

00:04:50,250  -->  00:04:52,080
But it's not going to actually do things
113

113

00:04:52,080  -->  00:04:55,620
like write all of your security documentation for you
114

114

00:04:55,620  -->  00:05:00,000
on how you do identification and authentication.
115

115

00:05:00,000  -->  00:05:03,240
You've actually got to do that work to put it into eMass.
116

116

00:05:03,240  -->  00:05:04,470
<v ->I see, okay.</v>
117

117

00:05:04,470  -->  00:05:08,160
So, maybe eMASS would be better characterized
118

118

00:05:08,160  -->  00:05:10,320
as just like a data store
119

119

00:05:10,320  -->  00:05:12,270
and just a way to organize yourself.
120

120

00:05:12,270  -->  00:05:13,800
Do you think that's a more accurate description
121

121

00:05:13,800  -->  00:05:15,270
of what it does?
122

122

00:05:15,270  -->  00:05:18,360
<v ->Yeah, it does definitely keep all of your data,</v>
123

123

00:05:18,360  -->  00:05:21,540
all of your system identification information,
124

124

00:05:21,540  -->  00:05:23,880
like, you do security categorization in there.
125

125

00:05:23,880  -->  00:05:26,430
So, we're talking step one, preparing.
126

126

00:05:26,430  -->  00:05:29,010
That's when we build our system in eMASS.
127

127

00:05:29,010  -->  00:05:31,530
When we start to move it or, step zero, prepare.
128

128

00:05:31,530  -->  00:05:33,750
Step one, we start to look
129

129

00:05:33,750  -->  00:05:35,400
at actually getting our team together.
130

130

00:05:35,400  -->  00:05:39,240
That's when we assign all of the individuals eMASS,
131

131

00:05:39,240  -->  00:05:42,360
and then we, you know, add things like our system name,
132

132

00:05:42,360  -->  00:05:45,090
start looking at what version are we working on,
133

133

00:05:45,090  -->  00:05:47,250
what network is it going on?
134

134

00:05:47,250  -->  00:05:50,040
And then, when we move into that categorization phase,
135

135

00:05:50,040  -->  00:05:51,300
eMASS does a very good job
136

136

00:05:51,300  -->  00:05:53,730
of helping us categorize our system
137

137

00:05:53,730  -->  00:05:57,300
based on NIST Special Publication 800-60 Volume II,
138

138

00:05:57,300  -->  00:06:00,764
and then select our security controls from there.
139

139

00:06:00,764  -->  00:06:01,620
<v ->Okay, okay.</v>
140

140

00:06:01,620  -->  00:06:02,880
So, eMASS is helpful,
141

141

00:06:02,880  -->  00:06:06,900
I guess is my takeaway from this part of our conversation.
142

142

00:06:06,900  -->  00:06:08,250
And so, it's worth us, you know,
143

143

00:06:08,250  -->  00:06:11,100
spending some more time on the episode now to, you know,
144

144

00:06:11,100  -->  00:06:12,420
kind of understand it a little bit better.
145

145

00:06:12,420  -->  00:06:15,210
And I suppose I should probably stop at this point
146

146

00:06:15,210  -->  00:06:18,810
and tell people that eMASS is an acronym,
147

147

00:06:18,810  -->  00:06:20,010
and it actually stands for
148

148

00:06:20,010  -->  00:06:23,520
Enterprise Mission Assurance Support Service.
149

149

00:06:23,520  -->  00:06:24,570
I'm sure, Rebecca,
150

150

00:06:24,570  -->  00:06:27,480
you probably have other names for it, (laughing)
151

151

00:06:27,480  -->  00:06:30,810
probably in frustration, but that's- (laughing)
152

152

00:06:30,810  -->  00:06:33,063
I think that's the proper name.
153

153

00:06:34,500  -->  00:06:38,940
So, let's talk about how you use RMF in your work
154

154

00:06:38,940  -->  00:06:41,820
before we really start talking about eMASS,
155

155

00:06:41,820  -->  00:06:43,643
because my understanding is, you know,
156

156

00:06:43,643  -->  00:06:47,370
RMF and eMASS are kind of a one-size-fits-all
157

157

00:06:47,370  -->  00:06:51,090
sort of a thing, but not everybody's doing the same kind
158

158

00:06:51,090  -->  00:06:53,610
of work at the same scale.
159

159

00:06:53,610  -->  00:06:57,633
So, how do you use RMF, and let's start there.
160

160

00:06:58,710  -->  00:07:02,070
<v ->Yeah. So, I come from a tactical world.</v>
161

161

00:07:02,070  -->  00:07:05,280
So I come from a, we've got a mission coming up.
162

162

00:07:05,280  -->  00:07:06,630
It starts on Sunday.
163

163

00:07:06,630  -->  00:07:08,580
We have to get a system authorized
164

164

00:07:08,580  -->  00:07:12,003
and out to the field for a military user.
165

165

00:07:13,143  -->  00:07:16,153
And so, when we use RMF in that process,
166

166

00:07:16,153  -->  00:07:17,220
it's much more agile,
167

167

00:07:17,220  -->  00:07:20,220
it's how to be adapted to be flexible,
168

168

00:07:20,220  -->  00:07:22,410
and it's all mission focused.
169

169

00:07:22,410  -->  00:07:26,490
And when we start looking at system categorization,
170

170

00:07:26,490  -->  00:07:29,490
it's more based not only just around confidentiality,
171

171

00:07:29,490  -->  00:07:30,780
integrity and availability,
172

172

00:07:30,780  -->  00:07:34,320
but we are also looking at the mission aspect of that.
173

173

00:07:34,320  -->  00:07:36,320
So, when you start thinking about things
174

174

00:07:37,171  -->  00:07:41,490
like weapon systems, IOT,
175

175

00:07:44,310  -->  00:07:47,430
you have very unique requirements in those systems
176

176

00:07:47,430  -->  00:07:49,770
where they can't necessarily implement
177

177

00:07:49,770  -->  00:07:51,360
what would be selected
178

178

00:07:51,360  -->  00:07:53,670
from a baseline categorization,
179

179

00:07:53,670  -->  00:07:55,170
from a CIA perspective.
180

180

00:07:55,170  -->  00:07:57,240
So, that's when tailoring comes in.
181

181

00:07:57,240  -->  00:08:01,080
Tailoring is a key part of the control selection process
182

182

00:08:01,080  -->  00:08:05,400
that, in my experience, a lot of people forget
183

183

00:08:05,400  -->  00:08:09,270
that RMF is the framework that is to be adapted
184

184

00:08:09,270  -->  00:08:13,740
by organizations, and it provides the executive leadership
185

185

00:08:13,740  -->  00:08:17,580
in those organizations to make decisions
186

186

00:08:17,580  -->  00:08:19,140
on how they're going to adapt that framework
187

187

00:08:19,140  -->  00:08:21,210
for their systems and their missions.
188

188

00:08:21,210  -->  00:08:23,160
And that's really what's left out a lot
189

189

00:08:24,183  -->  00:08:27,480
in the DOD's implementation and interpretation of the RMF.
190

190

00:08:27,480  -->  00:08:29,880
<v ->Hmm. Is this tailoring aspect that,</v>
191

191

00:08:29,880  -->  00:08:34,590
that people are expected to adapt the RMF
192

192

00:08:34,590  -->  00:08:37,500
to their specific situation? Is that right?
193

193

00:08:37,500  -->  00:08:38,580
<v ->That's correct, yes.</v>
194

194

00:08:38,580  -->  00:08:39,859
<v ->Yeah,</v>
195

195

00:08:39,859  -->  00:08:40,932
and I would think that,
196

196

00:08:40,932  -->  00:08:43,110
especially newer people to RMF would,
197

197

00:08:43,110  -->  00:08:45,660
would actually find that maybe a little bit intimidating
198

198

00:08:45,660  -->  00:08:47,820
or maybe a little bit like scary,
199

199

00:08:47,820  -->  00:08:50,130
'cause it's like, no, I want a checklist.
200

200

00:08:50,130  -->  00:08:51,960
What do you mean it's not a checklist, right?
201

201

00:08:51,960  -->  00:08:55,890
I mean, do you think that's part of maybe what's going on?
202

202

00:08:55,890  -->  00:08:57,450
<v ->Yeah, and like you,</v>
203

203

00:08:57,450  -->  00:08:59,370
I was Air Force before I enlisted,
204

204

00:08:59,370  -->  00:09:02,190
and everything is standard operating procedure,
205

205

00:09:02,190  -->  00:09:04,350
TTP, we follow a checklist,
206

206

00:09:04,350  -->  00:09:06,300
you don't deviate from the checklist,
207

207

00:09:06,300  -->  00:09:08,310
'cause there's safety concerns,
208

208

00:09:08,310  -->  00:09:09,720
there's mission concerns.
209

209

00:09:09,720  -->  00:09:12,870
So, when we talk cybersecurity and RMF,
210

210

00:09:12,870  -->  00:09:17,310
and it being such an interpretable process,
211

211

00:09:17,310  -->  00:09:21,210
it's very difficult for us to kind of adapt our mindset
212

212

00:09:21,210  -->  00:09:22,620
to be able to say, wait,
213

213

00:09:22,620  -->  00:09:24,930
we can actually critically think
214

214

00:09:24,930  -->  00:09:27,360
about the system design aspects,
215

215

00:09:27,360  -->  00:09:30,900
the security requirements, the mission, the users,
216

216

00:09:30,900  -->  00:09:32,220
and put all that together,
217

217

00:09:32,220  -->  00:09:34,980
and, as a team, sit down and decide
218

218

00:09:34,980  -->  00:09:38,743
what is the tailoring aspects of this system,
219

219

00:09:38,743  -->  00:09:41,310
the baseline and the tailored controls,
220

220

00:09:41,310  -->  00:09:44,190
and then get that authorizing official
221

221

00:09:44,190  -->  00:09:46,350
or that AO's buy-in very early.
222

222

00:09:46,350  -->  00:09:48,334
So, we designed the system
223

223

00:09:48,334  -->  00:09:49,560
where it is not over-engineered
224

224

00:09:49,560  -->  00:09:50,820
from a security perspective,
225

225

00:09:50,820  -->  00:09:53,220
but it's also protecting the data,
226

226

00:09:53,220  -->  00:09:54,480
the users, and the mission.
227

227

00:09:54,480  -->  00:09:55,653
<v ->Yeah. Yeah.</v>
228

228

00:09:56,640  -->  00:09:58,470
And, do you think there's a risk that,
229

229

00:09:58,470  -->  00:10:01,958
as people try to tailor RMF for their situation,
230

230

00:10:01,958  -->  00:10:05,010
that they might make some big mistakes,
231

231

00:10:05,010  -->  00:10:06,720
as far as like, they might leave things out
232

232

00:10:06,720  -->  00:10:08,100
that they really shouldn't leave out?
233

233

00:10:08,100  -->  00:10:10,620
I mean, is there a lot of risk, you know,
234

234

00:10:10,620  -->  00:10:13,410
that people are really going to mess up the tailoring?
235

235

00:10:13,410  -->  00:10:14,243
<v ->Yes.</v>
236

236

00:10:14,243  -->  00:10:15,390
Tailoring is one of those things,
237

237

00:10:15,390  -->  00:10:18,660
and that's why we have such a hard time with it, the DOD.
238

238

00:10:18,660  -->  00:10:20,250
And I have seen instances
239

239

00:10:20,250  -->  00:10:21,960
where things have been tailored out
240

240

00:10:21,960  -->  00:10:25,830
that actually increase the risk to the user
241

241

00:10:25,830  -->  00:10:28,740
on the system, and that has to be sent
242

242

00:10:28,740  -->  00:10:30,540
to the authorizing official
243

243

00:10:30,540  -->  00:10:32,760
to help make that determination,
244

244

00:10:32,760  -->  00:10:35,144
because there is a cost to all of this, right?
245

245

00:10:35,144  -->  00:10:35,977
<v ->Yeah.</v>
246

246

00:10:35,977  -->  00:10:38,460
<v ->And especially, as someone who's worked as, you know,</v>
247

247

00:10:38,460  -->  00:10:40,680
a security manager, a security engineer,
248

248

00:10:40,680  -->  00:10:42,450
we all think cost, we all think budget,
249

249

00:10:42,450  -->  00:10:43,623
we all think schedules.
250

250

00:10:44,520  -->  00:10:47,730
And that's where we're having a pretty large disconnect
251

251

00:10:47,730  -->  00:10:51,690
in the DOD, is that we have our main area of expertise
252

252

00:10:51,690  -->  00:10:53,280
and our focus, and we're concern
253

253

00:10:53,280  -->  00:10:57,810
on securing data connections, users, risk.
254

254

00:10:57,810  -->  00:11:00,780
I mean, cost and schedules,
255

255

00:11:00,780  -->  00:11:04,050
that's program managers, that's program office,
256

256

00:11:04,050  -->  00:11:05,070
that's not our concern.
257

257

00:11:05,070  -->  00:11:06,690
And that's where we,
258

258

00:11:06,690  -->  00:11:09,510
we really start to disconnect in the DOD.
259

259

00:11:09,510  -->  00:11:10,800
<v ->Okay.</v>
260

260

00:11:10,800  -->  00:11:11,760
This is so helpful.
261

261

00:11:11,760  -->  00:11:13,500
I mean, I think for anybody who hasn't worked
262

262

00:11:13,500  -->  00:11:16,560
with RMF for very long, or maybe they have,
263

263

00:11:16,560  -->  00:11:18,300
and they just find it really frustrating,
264

264

00:11:18,300  -->  00:11:20,820
I would hope this conversation would be really helpful
265

265

00:11:20,820  -->  00:11:22,860
to them to get them grounded
266

266

00:11:22,860  -->  00:11:24,780
on how you actually do this stuff.
267

267

00:11:24,780  -->  00:11:26,130
I'm interested though, Rebecca,
268

268

00:11:26,130  -->  00:11:30,180
would you kind of tell us how you got into RMF?
269

269

00:11:30,180  -->  00:11:31,410
Like, you know, where did this-
270

270

00:11:31,410  -->  00:11:32,910
Where did RMF start for you?
271

271

00:11:32,910  -->  00:11:34,230
Because to your point, you know,
272

272

00:11:34,230  -->  00:11:37,260
you started doing this work before RMF came along,
273

273

00:11:37,260  -->  00:11:41,135
but yeah, how did you and RMF meet?
274

274

00:11:41,135  -->  00:11:44,340
<v ->Yeah, I was actually military intelligence,</v>
275

275

00:11:44,340  -->  00:11:49,100
and I took an assign networking for central command,
276

276

00:11:49,100  -->  00:11:50,580
and I got into it
277

277

00:11:50,580  -->  00:11:53,820
when it was still called information insurance.
278

278

00:11:53,820  -->  00:11:56,280
So, before the cybersecurity terminology.
279

279

00:11:56,280  -->  00:11:57,510
<v Kip>I remember that.</v>
280

280

00:11:57,510  -->  00:11:58,710
<v ->Yes.</v>
281

281

00:11:58,710  -->  00:12:02,280
Back in the pre-DITSCAP, then DITSCAP,
282

282

00:12:02,280  -->  00:12:04,290
and then DIACAP days,
283

283

00:12:04,290  -->  00:12:06,540
and then, actually, I got into RMF
284

284

00:12:06,540  -->  00:12:08,850
when I separated from the Air Force
285

285

00:12:08,850  -->  00:12:11,370
and started working for the federal agencies.
286

286

00:12:11,370  -->  00:12:15,630
And so, they were already following the 800-37 framework
287

287

00:12:15,630  -->  00:12:17,221
at that time.
288

288

00:12:17,221  -->  00:12:19,530
And so, I had to learn their process
289

289

00:12:19,530  -->  00:12:21,030
and how they do things.
290

290

00:12:21,030  -->  00:12:23,280
And then, once I learned that,
291

291

00:12:23,280  -->  00:12:27,093
and the DOD switched to the 8510.01 under the RMF,
292

292

00:12:28,200  -->  00:12:30,600
I started getting a lot more clients
293

293

00:12:30,600  -->  00:12:33,210
who were selling to the DOD
294

294

00:12:33,210  -->  00:12:35,640
who needed to understand this new RMF process
295

295

00:12:35,640  -->  00:12:39,477
and how to secure and sell to the Department of Defense.
296

296

00:12:39,477  -->  00:12:40,672
<v ->Ah, okay.</v>
297

297

00:12:40,672  -->  00:12:42,060
Okay. Well, and you know,
298

298

00:12:42,060  -->  00:12:44,670
that's another interesting story that I would love to talk
299

299

00:12:44,670  -->  00:12:46,590
with you about, probably not during the episode today,
300

300

00:12:46,590  -->  00:12:50,160
but I think what you said is
301

301

00:12:50,160  -->  00:12:52,230
that you are actually a business owner, right?
302

302

00:12:52,230  -->  00:12:56,280
That you kind of launched your own company
303

303

00:12:56,280  -->  00:12:59,610
in order to help, but from a civilian point of view.
304

304

00:12:59,610  -->  00:13:01,110
Is that right?
305

305

00:13:01,110  -->  00:13:02,250
<v ->That's correct, yes.</v>
306

306

00:13:02,250  -->  00:13:03,848
<v ->And you know what,</v>
307

307

00:13:03,848  -->  00:13:05,400
I don't see a lot of people who leave the military
308

308

00:13:05,400  -->  00:13:06,600
who start their own businesses.
309

309

00:13:06,600  -->  00:13:10,383
I think that's a fairly uncommon thing.
310

310

00:13:10,383  -->  00:13:12,540
That's what I did eventually,
311

311

00:13:12,540  -->  00:13:14,730
but it took me a while to get there,
312

312

00:13:14,730  -->  00:13:16,260
but I just want to congratulate you
313

313

00:13:16,260  -->  00:13:18,540
for taking the road less traveled.
314

314

00:13:18,540  -->  00:13:20,370
So, I just think it's really cool.
315

315

00:13:20,370  -->  00:13:21,750
<v ->Thanks!</v>
316

316

00:13:21,750  -->  00:13:22,583
<v ->Yeah, you're welcome.</v>
317

317

00:13:22,583  -->  00:13:23,940
So, let's move on.
318

318

00:13:23,940  -->  00:13:26,580
Let's continue to unpack this, you know,
319

319

00:13:26,580  -->  00:13:29,880
how does RMF, you know, work in the real world?
320

320

00:13:29,880  -->  00:13:31,260
And I think a big part of that
321

321

00:13:31,260  -->  00:13:32,250
is something you said earlier,
322

322

00:13:32,250  -->  00:13:34,440
which is, okay, well we've got RMF,
323

323

00:13:34,440  -->  00:13:37,260
it's documented, we have to tailor it,
324

324

00:13:37,260  -->  00:13:39,030
but it's kind of a one-size-fits-all thing.
325

325

00:13:39,030  -->  00:13:42,450
It doesn't really anticipate, you know, every use case,
326

326

00:13:42,450  -->  00:13:44,790
but so, how do you actually use it, right?
327

327

00:13:44,790  -->  00:13:47,340
How do you make the best use of it,
328

328

00:13:47,340  -->  00:13:50,343
given that it's such a slippery kind of thing?
329

329

00:13:51,330  -->  00:13:54,480
<v ->So, right now, I'm in a situation</v>
330

330

00:13:54,480  -->  00:13:55,800
that I am actually starting
331

331

00:13:55,800  -->  00:13:58,230
to help the acquisition community.
332

332

00:13:58,230  -->  00:14:03,120
So, the acquisition community puts on government contracts,
333

333

00:14:03,120  -->  00:14:05,790
the requirements for security, right?
334

334

00:14:05,790  -->  00:14:07,380
And typically in the past,
335

335

00:14:07,380  -->  00:14:10,740
it would be, you have to comply with DOD 8510.01.
336

336

00:14:10,740  -->  00:14:12,793
Well, okay, that's a very- (chuckles)
337

337

00:14:12,793  -->  00:14:14,940
A very large assumption is made there,
338

338

00:14:14,940  -->  00:14:18,300
that anyone even understands the instructions to begin with.
339

339

00:14:18,300  -->  00:14:20,880
And then how to interpret it and how to, you know,
340

340

00:14:20,880  -->  00:14:23,250
select their baseline and then tailor.
341

341

00:14:23,250  -->  00:14:27,300
So, what we've been working on recently is
342

342

00:14:27,300  -->  00:14:29,100
developing acquisition language,
343

343

00:14:29,100  -->  00:14:31,920
so that, when something gets put on contract,
344

344

00:14:31,920  -->  00:14:35,280
the contractor, the integrator, the developer,
345

345

00:14:35,280  -->  00:14:36,870
even a small business like me,
346

346

00:14:36,870  -->  00:14:40,350
I understand exactly what I'm selling to the government,
347

347

00:14:40,350  -->  00:14:41,353
because I-
348

348

00:14:41,353  -->  00:14:43,620
I mean, something as simple as encryption type,
349

349

00:14:43,620  -->  00:14:45,870
that I have to build into software,
350

350

00:14:45,870  -->  00:14:48,363
can vastly change the cost, right?
351

351

00:14:48,363  -->  00:14:51,540
So, I have to bring in someone that understands the-
352

352

00:14:51,540  -->  00:14:55,173
A Type 2 encrypter versus a FIPS 140 encryption mechanism.
353

353

00:14:56,310  -->  00:14:59,550
The cost of that type of engineer vary significantly
354

354

00:14:59,550  -->  00:15:01,920
and the amount of time it'll take to develop.
355

355

00:15:01,920  -->  00:15:05,190
So, actually getting into the acquisition cycle is going
356

356

00:15:05,190  -->  00:15:07,200
to be key to actually being able
357

357

00:15:07,200  -->  00:15:10,560
to implement RMF correctly across the DOD.
358

358

00:15:10,560  -->  00:15:11,393
<v Kip>Mm.</v>
359

359

00:15:12,330  -->  00:15:14,400
<v ->And right now, there's a lot of,</v>
360

360

00:15:14,400  -->  00:15:16,140
I don't want to say animosity,
361

361

00:15:16,140  -->  00:15:18,870
but there is quite a bit of frustration
362

362

00:15:18,870  -->  00:15:21,090
with the RMF process in the DOD.
363

363

00:15:21,090  -->  00:15:23,583
And I really think that's because the way
364

364

00:15:23,583  -->  00:15:25,800
that it was rolled out, it was-
365

365

00:15:25,800  -->  00:15:27,450
The way it was trained
366

366

00:15:27,450  -->  00:15:29,670
to all of the security managers,
367

367

00:15:29,670  -->  00:15:32,700
it was very much checklist mentality,
368

368

00:15:32,700  -->  00:15:35,340
let's categorize the system,
369

369

00:15:35,340  -->  00:15:38,100
no real tailoring was implemented,
370

370

00:15:38,100  -->  00:15:41,367
and it was a very rigid interpretation of the framework.
371

371

00:15:41,367  -->  00:15:43,650
<v ->Ah, so we're kind of our own worst enemies, right?</v>
372

372

00:15:43,650  -->  00:15:46,170
Going back to a previous part of our conversation,
373

373

00:15:46,170  -->  00:15:48,600
where we were talking about how necessary it is
374

374

00:15:48,600  -->  00:15:49,860
to tailor it, but that our-
375

375

00:15:49,860  -->  00:15:51,990
The dominant culture is to not do that.
376

376

00:15:51,990  -->  00:15:54,267
The dominant culture is to be very rigid
377

377

00:15:54,267  -->  00:15:55,830
and to follow checklists.
378

378

00:15:55,830  -->  00:15:57,690
And what I'm hearing you say is, yeah,
379

379

00:15:57,690  -->  00:16:00,030
that's actually how they trained us to do it,
380

380

00:16:00,030  -->  00:16:04,080
which is not very enabling of the intent.
381

381

00:16:04,080  -->  00:16:06,810
And yeah, so I could see a lot of people
382

382

00:16:06,810  -->  00:16:10,770
would be frustrated by that, for sure.
383

383

00:16:10,770  -->  00:16:13,830
So, okay, so, is that how you were trained
384

384

00:16:13,830  -->  00:16:16,980
and you know, how did you work through that
385

385

00:16:16,980  -->  00:16:20,190
to be able to use RMF the way it was intended
386

386

00:16:20,190  -->  00:16:22,410
versus the way you were trained?
387

387

00:16:22,410  -->  00:16:24,453
<v ->I think that for me,</v>
388

388

00:16:26,201  -->  00:16:27,601
I think it was my leadership
389

389

00:16:28,924  -->  00:16:32,640
and the fact that I come from a tactical environment,
390

390

00:16:32,640  -->  00:16:34,080
it was fast-moving.
391

391

00:16:34,080  -->  00:16:36,900
Our leadership all the way up the chain understood
392

392

00:16:36,900  -->  00:16:39,570
that security is a priority,
393

393

00:16:39,570  -->  00:16:44,190
but also, mission effectiveness is a higher priority.
394

394

00:16:44,190  -->  00:16:47,040
So, trying to balance those two things,
395

395

00:16:47,040  -->  00:16:50,700
we were able to have those very open conversations
396

396

00:16:50,700  -->  00:16:51,930
as to, "Okay, that's fine.
397

397

00:16:51,930  -->  00:16:55,230
We don't have time to acquire this encryption that we need,
398

398

00:16:55,230  -->  00:16:58,613
or we don't have time to implement this, you know,
399

399

00:16:58,613  -->  00:17:03,613
AV solution, and if you want to field it, that's a risk,
400

400

00:17:03,837  -->  00:17:05,190
and we have to understand
401

401

00:17:05,190  -->  00:17:07,137
what are the consequences of those risks."
402

402

00:17:07,137  -->  00:17:09,753
And so, having a leadership-
403

403

00:17:11,460  -->  00:17:12,690
Having the leadership in place
404

404

00:17:12,690  -->  00:17:16,620
that understood that we could make these trade-offs,
405

405

00:17:16,620  -->  00:17:19,380
but we needed to understand what we were trading off
406

406

00:17:19,380  -->  00:17:22,080
to ensure that we are doing our due diligence
407

407

00:17:22,080  -->  00:17:25,473
to protect the data, the users, and the missions.
408

408

00:17:26,370  -->  00:17:28,071
<v ->Okay. So, in other words,</v>
409

409

00:17:28,071  -->  00:17:30,337
my interpretation of what you just said is,
410

410

00:17:30,337  -->  00:17:32,100
"Well, I went and got this training on RMF,
411

411

00:17:32,100  -->  00:17:35,186
and then I went to the real world." (laughing)
412

412

00:17:35,186  -->  00:17:39,480
And the real world said, "Hmm, we have to do a little,
413

413

00:17:39,480  -->  00:17:40,890
you have to do things a little differently,"
414

414

00:17:40,890  -->  00:17:43,050
because, real world, right?
415

415

00:17:43,050  -->  00:17:45,060
We've got to balance all these competing priorities,
416

416

00:17:45,060  -->  00:17:46,950
and at the end of the day,
417

417

00:17:46,950  -->  00:17:48,810
we've got to accomplish the mission, right?
418

418

00:17:48,810  -->  00:17:50,280
Whatever that takes.
419

419

00:17:50,280  -->  00:17:53,580
And so, those are the real world, you know,
420

420

00:17:53,580  -->  00:17:55,680
kind of trade-offs that a person has to make.
421

421

00:17:55,680  -->  00:17:59,160
So, yeah, so I guess maybe something that I would say
422

422

00:17:59,160  -->  00:18:01,350
to people is, if you're learning RMF,
423

423

00:18:01,350  -->  00:18:03,360
or maybe you've already been through the training
424

424

00:18:03,360  -->  00:18:05,130
and you're struggling with it,
425

425

00:18:05,130  -->  00:18:07,020
what I'm hearing is, you know,
426

426

00:18:07,020  -->  00:18:10,320
lean into the reality of the situation that you're in,
427

427

00:18:10,320  -->  00:18:11,430
and you know,
428

428

00:18:11,430  -->  00:18:13,260
draw what you can from RMF,
429

429

00:18:13,260  -->  00:18:15,900
but don't be such a slave to RMF
430

430

00:18:15,900  -->  00:18:18,060
that you can't get your mission accomplished.
431

431

00:18:18,060  -->  00:18:20,790
Is that like a reasonable way to kind of summarize
432

432

00:18:20,790  -->  00:18:22,410
what you were saying?
433

433

00:18:22,410  -->  00:18:23,310
<v ->Yes it is.</v>
434

434

00:18:23,310  -->  00:18:26,220
Oh, and the one thing I'm always very adamant
435

435

00:18:26,220  -->  00:18:29,670
about telling people is that, make sure you're truthful.
436

436

00:18:29,670  -->  00:18:31,500
So, even when you're putting together,
437

437

00:18:31,500  -->  00:18:33,690
like your security plan,
438

438

00:18:33,690  -->  00:18:37,380
if you're not doing something annotated in there,
439

439

00:18:37,380  -->  00:18:40,320
documented, be truthful, you know,
440

440

00:18:40,320  -->  00:18:42,000
do a risk analysis on it,
441

441

00:18:42,000  -->  00:18:44,830
determine what risks that bring to the system
442

442

00:18:45,930  -->  00:18:49,863
and what are some mitigations that can be put into place,
443

443

00:18:51,000  -->  00:18:52,530
and then document all of that,
444

444

00:18:52,530  -->  00:18:54,510
so you can communicate that up to leadership,
445

445

00:18:54,510  -->  00:18:56,640
because, as you mentioned earlier,
446

446

00:18:56,640  -->  00:18:59,310
that authorizing official has to sign off on it,
447

447

00:18:59,310  -->  00:19:01,140
and they need to actually understand
448

448

00:19:01,140  -->  00:19:05,040
the reality of the situation, not a clouded view.
449

449

00:19:05,040  -->  00:19:05,873
<v ->Yeah.</v>
450

450

00:19:05,873  -->  00:19:08,460
And it's not reasonable to expect an authorizing official
451

451

00:19:08,460  -->  00:19:10,533
to really even understand RMF, is it?
452

452

00:19:11,970  -->  00:19:13,560
<v ->I think, yes,</v>
453

453

00:19:13,560  -->  00:19:15,270
I mean, a part of their training
454

454

00:19:15,270  -->  00:19:16,770
to be an authorizing official,
455

455

00:19:16,770  -->  00:19:19,260
they're supposed to actually take training
456

456

00:19:19,260  -->  00:19:20,670
in the RMF process.
457

457

00:19:20,670  -->  00:19:24,120
And those that I have worked with recently are pretty aware
458

458

00:19:24,120  -->  00:19:27,060
of the RMF process and frustrated with it, right?
459

459

00:19:27,060  -->  00:19:29,820
Because it is holding up some progress.
460

460

00:19:29,820  -->  00:19:34,807
It is making the system development life cycle take longer.
461

461

00:19:34,807  -->  00:19:35,997
<v ->Yeah, okay.</v>
462

462

00:19:35,997  -->  00:19:38,010
<v ->And from my experience,</v>
463

463

00:19:38,010  -->  00:19:41,036
all that hold up is in the middle tier.
464

464

00:19:41,036  -->  00:19:43,170
It's all of those middle.
465

465

00:19:43,170  -->  00:19:45,780
The leadership, they want to be able
466

466

00:19:45,780  -->  00:19:47,430
to make those decisions quickly.
467

467

00:19:47,430  -->  00:19:49,500
They want to be able to move quickly,
468

468

00:19:49,500  -->  00:19:51,000
but we're holding it up in the middle
469

469

00:19:51,000  -->  00:19:54,030
with this whole checklist mentality problem we're having.
470

470

00:19:54,030  -->  00:19:55,170
<v ->Okay, right.</v>
471

471

00:19:55,170  -->  00:19:56,490
And you'd mentioned that before.
472

472

00:19:56,490  -->  00:20:00,900
Now, in DOD anyway, you had told me previously,
473

473

00:20:00,900  -->  00:20:03,060
when we were talking about, you know,
474

474

00:20:03,060  -->  00:20:05,220
the episode here we're doing our preparations,
475

475

00:20:05,220  -->  00:20:08,400
and you said DOD has some initiatives
476

476

00:20:08,400  -->  00:20:10,710
to try and address these issues
477

477

00:20:10,710  -->  00:20:13,410
and to actually revise RMF.
478

478

00:20:13,410  -->  00:20:14,643
What are you seeing?
479

479

00:20:15,600  -->  00:20:18,750
<v ->Yeah, we're seeing what's called RMF 2.0.</v>
480

480

00:20:18,750  -->  00:20:22,920
We're seeing the Fast-Track RMF, or Best-Track ATO.
481

481

00:20:22,920  -->  00:20:26,160
We're seeing Continuous ATO.
482

482

00:20:26,160  -->  00:20:29,190
So, depending on where you're at in the DOD,
483

483

00:20:29,190  -->  00:20:31,020
it's being called a different name,
484

484

00:20:31,020  -->  00:20:34,350
but really it, kind of, peel all the layers to it,
485

485

00:20:34,350  -->  00:20:35,910
what it means is,
486

486

00:20:35,910  -->  00:20:39,060
do very good system security engineering,
487

487

00:20:39,060  -->  00:20:42,930
design systems that can be continuously monitored,
488

488

00:20:42,930  -->  00:20:45,900
monitor those systems, monitor the risk,
489

489

00:20:45,900  -->  00:20:48,390
continue to report that risk up,
490

490

00:20:48,390  -->  00:20:53,130
and then your ATO should continue to flow.
491

491

00:20:53,130  -->  00:20:54,330
<v ->Mm. Okay.</v>
492

492

00:20:54,330  -->  00:20:57,150
Now, let's define that term for a moment, ATO,
493

493

00:20:57,150  -->  00:20:59,160
'cause I don't think we've defined it yet,
494

494

00:20:59,160  -->  00:21:00,240
but we've been using it.
495

495

00:21:00,240  -->  00:21:01,073
So, what's ATO?
496

496

00:21:02,040  -->  00:21:04,710
<v ->So, your ATO is your authorization to operate.</v>
497

497

00:21:04,710  -->  00:21:07,860
So, for the DOD, it's what allows you
498

498

00:21:07,860  -->  00:21:12,120
to take a system and actually use it as a DOD entity.
499

499

00:21:12,120  -->  00:21:14,250
So, rather that's a standalone system,
500

500

00:21:14,250  -->  00:21:16,740
or it's connected to some type of network
501

501

00:21:16,740  -->  00:21:18,765
or cloud environment.
502

502

00:21:18,765  -->  00:21:19,680
<v ->Okay. Okay, got it.</v>
503

503

00:21:19,680  -->  00:21:20,513
So, which-
504

504

00:21:20,513  -->  00:21:25,470
Do you have an opinion of your own, as far as,
505

505

00:21:25,470  -->  00:21:29,130
you know, RMF 2.0, Fast-Track ATO, Continuous ATO,
506

506

00:21:29,130  -->  00:21:31,350
do you think that they're headed in the right direction
507

507

00:21:31,350  -->  00:21:34,950
in terms of addressing what the real, you know,
508

508

00:21:34,950  -->  00:21:38,343
issue is with RMF and making it more useful?
509

509

00:21:40,710  -->  00:21:42,150
<v ->I mean, any steps</v>
510

510

00:21:42,150  -->  00:21:44,853
for an improvement are helpful, obviously.
511

511

00:21:45,810  -->  00:21:48,180
Some of those processes have, kind of,
512

512

00:21:48,180  -->  00:21:50,190
a subset of control in the beginning
513

513

00:21:50,190  -->  00:21:51,420
that are implemented,
514

514

00:21:51,420  -->  00:21:54,570
and then as you move through your ATO process,
515

515

00:21:54,570  -->  00:21:57,840
you implement more and more security controls.
516

516

00:21:57,840  -->  00:21:59,550
But really, a lot of that should have been done
517

517

00:21:59,550  -->  00:22:00,990
in the development life cycle
518

518

00:22:00,990  -->  00:22:04,230
for developing software for a system
519

519

00:22:04,230  -->  00:22:06,450
that has multiple pieces of software.
520

520

00:22:06,450  -->  00:22:08,793
We should have already have done most of that.
521

521

00:22:09,720  -->  00:22:11,670
So, I think the initiatives are good.
522

522

00:22:11,670  -->  00:22:13,500
I don't think they're, you know,
523

523

00:22:13,500  -->  00:22:15,480
the final be all that'll get us
524

524

00:22:15,480  -->  00:22:17,310
to where we need to be.
525

525

00:22:17,310  -->  00:22:19,315
I honestly believe that a lot of it
526

526

00:22:19,315  -->  00:22:21,394
is coming down to the training.
527

527

00:22:21,394  -->  00:22:23,083
<v ->Mm, okay, okay.</v>
528

528

00:22:23,083  -->  00:22:24,480
That's really interesting.
529

529

00:22:24,480  -->  00:22:28,980
So again, it's not that RMF itself is so much of an issue,
530

530

00:22:28,980  -->  00:22:33,180
it's just the culture, the institution, right?
531

531

00:22:33,180  -->  00:22:37,110
Trying to evolve itself to this kind of,
532

532

00:22:37,110  -->  00:22:39,445
you know, more flexible approach.
533

533

00:22:39,445  -->  00:22:41,160
Okay, well that's fascinating,
534

534

00:22:41,160  -->  00:22:44,732
and hopefully, with time, you know,
535

535

00:22:44,732  -->  00:22:47,640
maybe these two things will meet in the middle.
536

536

00:22:47,640  -->  00:22:49,080
RMF will change a little bit,
537

537

00:22:49,080  -->  00:22:50,880
and the cultural will change a little bit,
538

538

00:22:50,880  -->  00:22:52,743
and we'll be able to get someplace.
539

539

00:22:53,670  -->  00:22:56,605
You know, one thing that I was curious about,
540

540

00:22:56,605  -->  00:22:59,553
this is a little off-the-cuff question here to you,
541

541

00:23:00,540  -->  00:23:01,830
but I've been thinking about the difference
542

542

00:23:01,830  -->  00:23:04,350
between RMF and the NIST cybersecurity framework,
543

543

00:23:04,350  -->  00:23:07,627
and, you know, some people have said to me,
544

544

00:23:07,627  -->  00:23:10,170
"Well, actually, they're kind of complimentary."
545

545

00:23:10,170  -->  00:23:11,280
And I think to myself,
546

546

00:23:11,280  -->  00:23:13,110
well, they're definitely different,
547

547

00:23:13,110  -->  00:23:16,290
and so I suppose they could be complimentary,
548

548

00:23:16,290  -->  00:23:18,780
whereas RMF is focused on the, you know,
549

549

00:23:18,780  -->  00:23:21,600
development life cycle and the cybersecurity framework is
550

550

00:23:21,600  -->  00:23:26,340
really more about an incident orientation.
551

551

00:23:26,340  -->  00:23:28,890
So, do you think that the NIST cybersecurity framework
552

552

00:23:28,890  -->  00:23:32,460
would be a good way to do step seven,
553

553

00:23:32,460  -->  00:23:36,510
that continuously monitor step in RMF,
554

554

00:23:36,510  -->  00:23:37,770
or, you know, how do you think
555

555

00:23:37,770  -->  00:23:40,200
about the way these two frameworks, kind of,
556

556

00:23:40,200  -->  00:23:41,940
fit up to each other?
557

557

00:23:41,940  -->  00:23:44,640
<v ->Yeah, I mean, they definitely have their place,</v>
558

558

00:23:44,640  -->  00:23:47,040
They're both a little bit different from each other,
559

559

00:23:47,040  -->  00:23:48,420
but they do compliment each other.
560

560

00:23:48,420  -->  00:23:52,260
And I do think that I am actually seeing more entities
561

561

00:23:52,260  -->  00:23:55,123
in the DOD start looking at the CSF.
562

562

00:23:55,123  -->  00:23:57,330
So, the cybersecurity framework,
563

563

00:23:57,330  -->  00:23:58,950
and how to bring that
564

564

00:23:58,950  -->  00:24:02,520
into that continuous monitoring type phase.
565

565

00:24:02,520  -->  00:24:03,353
<v ->Okay.</v>
566

566

00:24:03,353  -->  00:24:05,820
So, you do think that that that's a natural touch point
567

567

00:24:05,820  -->  00:24:07,650
for these two frameworks is
568

568

00:24:07,650  -->  00:24:09,720
that step seven continuous monitoring.
569

569

00:24:09,720  -->  00:24:11,534
Okay, thanks, I appreciate that.
570

570

00:24:11,534  -->  00:24:14,373
I was trying to figure that out for myself.
571

571

00:24:15,480  -->  00:24:17,643
All right, so, let's see.
572

572

00:24:18,540  -->  00:24:19,800
You know, when we were doing show prep,
573

573

00:24:19,800  -->  00:24:21,120
you had mentioned a few other things
574

574

00:24:21,120  -->  00:24:24,990
that I think our audience would really benefit
575

575

00:24:24,990  -->  00:24:26,940
from hearing about,
576

576

00:24:26,940  -->  00:24:31,940
which is some examples around, you know,
577

577

00:24:32,010  -->  00:24:34,893
some of the difficulties of legacy systems in RMF,
578

578

00:24:35,880  -->  00:24:38,940
and, you know, the fact that you've got systems
579

579

00:24:38,940  -->  00:24:41,957
that are no longer in a development state, right?
580

580

00:24:41,957  -->  00:24:43,590
Their development is finished,
581

581

00:24:43,590  -->  00:24:46,530
and maybe they'll never be enhanced again.
582

582

00:24:46,530  -->  00:24:51,300
And yet, you're still expected to use a SDLC-style approach
583

583

00:24:51,300  -->  00:24:55,530
to achieving approval to operate.
584

584

00:24:55,530  -->  00:24:56,760
What's that been like for you?
585

585

00:24:56,760  -->  00:24:58,910
How do you deal with a situation like that?
586

586

00:25:00,060  -->  00:25:03,090
<v ->It's been a struggle for everybody involved, right?</v>
587

587

00:25:03,090  -->  00:25:06,600
So, we have systems in the DOD that are, I mean,
588

588

00:25:06,600  -->  00:25:10,106
designed and deployed in the sixties, the seventies,
589

589

00:25:10,106  -->  00:25:11,654
they're not even running on-
590

590

00:25:11,654  -->  00:25:13,904
<v ->Back when they were new. (laughing)</v>
591

591

00:25:13,904  -->  00:25:15,491
<v ->Exactly. (laughing)</v>
592

592

00:25:15,491  -->  00:25:18,090
So, a lot of them are still running on that platform.
593

593

00:25:18,090  -->  00:25:19,530
And so, when you take something
594

594

00:25:19,530  -->  00:25:22,920
that can only take a six-digit password,
595

595

00:25:22,920  -->  00:25:23,753
and you try to say,
596

596

00:25:23,753  -->  00:25:26,760
"Well, you have to put a 14-character password on it."
597

597

00:25:26,760  -->  00:25:29,520
How much development expense do you put
598

598

00:25:29,520  -->  00:25:31,920
in finding a developer, first of all,
599

599

00:25:31,920  -->  00:25:33,240
and then, I mean,
600

600

00:25:33,240  -->  00:25:36,000
are you actually improving the security of that system?
601

601

00:25:36,000  -->  00:25:39,417
Is it really a necessary requirement for that system?
602

602

00:25:39,417  -->  00:25:41,370
And a lot of that, as we're going through,
603

603

00:25:41,370  -->  00:25:43,980
and that's where I believe the training problem is coming
604

604

00:25:43,980  -->  00:25:47,197
into play, because those that are saying,
605

605

00:25:47,197  -->  00:25:49,860
"Okay, you have to come to my organization
606

606

00:25:49,860  -->  00:25:51,540
as a security controls assessor,
607

607

00:25:51,540  -->  00:25:53,310
and I'm doing your independent assessment,
608

608

00:25:53,310  -->  00:25:57,450
and you only have a six-character password, or even PIN,
609

609

00:25:57,450  -->  00:26:00,125
on your system, you fail."
610

610

00:26:00,125  -->  00:26:02,190
Well, do you really fail
611

611

00:26:02,190  -->  00:26:04,713
if the system isn't capable of doing that?
612

612

00:26:05,970  -->  00:26:09,510
And so, that is where we're really struggling in the DOD,
613

613

00:26:09,510  -->  00:26:11,040
is that kind of, that's what I said earlier,
614

614

00:26:11,040  -->  00:26:13,890
that middle tier, where I have to send my system
615

615

00:26:13,890  -->  00:26:16,530
to an assessor who has no idea at all.
616

616

00:26:16,530  -->  00:26:18,930
You know, they're right out of college, maybe,
617

617

00:26:18,930  -->  00:26:20,130
they're a new airman,
618

618

00:26:20,130  -->  00:26:21,390
this is a new position.
619

619

00:26:21,390  -->  00:26:22,530
And I'm trying to explain,
620

620

00:26:22,530  -->  00:26:24,360
and that's why it's very important that,
621

621

00:26:24,360  -->  00:26:26,550
in that documentation, you say, you know,
622

622

00:26:26,550  -->  00:26:29,760
you clearly state the system is, you know,
623

623

00:26:29,760  -->  00:26:33,000
legacy, it can't support 14-character password.
624

624

00:26:33,000  -->  00:26:34,710
And this is a very simple example
625

625

00:26:34,710  -->  00:26:37,068
that's very true, but-
626

626

00:26:37,068  -->  00:26:37,980
<v ->Oh, oh it is.</v>
627

627

00:26:37,980  -->  00:26:40,440
And you know, Rebecca, as you talk about this,
628

628

00:26:40,440  -->  00:26:42,240
I'm reminded of some experiences I've had
629

629

00:26:42,240  -->  00:26:43,410
in the private sector,
630

630

00:26:43,410  -->  00:26:46,170
where I had a customer who was going
631

631

00:26:46,170  -->  00:26:47,820
through a payment card industry
632

632

00:26:47,820  -->  00:26:50,700
data security standard audit, right?
633

633

00:26:50,700  -->  00:26:54,420
Because they wanted to conform to the PCI DSS,
634

634

00:26:54,420  -->  00:26:56,250
and, similar things.
635

635

00:26:56,250  -->  00:26:57,570
This was a while ago, but you know,
636

636

00:26:57,570  -->  00:26:58,860
there would be a mainframe computer
637

637

00:26:58,860  -->  00:27:01,170
that was processing credit card transactions,
638

638

00:27:01,170  -->  00:27:03,210
and it was legacy, and you know,
639

639

00:27:03,210  -->  00:27:04,800
it just couldn't, you know,
640

640

00:27:04,800  -->  00:27:05,970
whether it was a password,
641

641

00:27:05,970  -->  00:27:07,110
or just some other things,
642

642

00:27:07,110  -->  00:27:09,750
it just could not perform
643

643

00:27:09,750  -->  00:27:12,207
to all of the requirements in PCI DSS.
644

644

00:27:12,207  -->  00:27:13,890
And so, we had to figure out
645

645

00:27:13,890  -->  00:27:16,020
how to create compensating controls
646

646

00:27:16,020  -->  00:27:16,980
and do other things
647

647

00:27:16,980  -->  00:27:19,290
in order to meet the intent of the requirement,
648

648

00:27:19,290  -->  00:27:22,620
knowing that the requirement itself was not going to be met
649

649

00:27:22,620  -->  00:27:26,187
in a very, you know, inside that system.
650

650

00:27:26,187  -->  00:27:29,394
And so, that sounds very similar to what you said.
651

651

00:27:29,394  -->  00:27:30,810
I mean, right?
652

652

00:27:30,810  -->  00:27:32,375
That's the same, isn't it?
653

653

00:27:32,375  -->  00:27:33,208
<v ->Absolutely, that's the same.</v>
654

654

00:27:33,208  -->  00:27:35,079
Everyone's having the problem.
655

655

00:27:35,079  -->  00:27:36,360
Medical community is having it.
656

656

00:27:36,360  -->  00:27:39,540
Anybody that is trying to meet a compliance standard
657

657

00:27:39,540  -->  00:27:42,810
that is built on modern development processes
658

658

00:27:42,810  -->  00:27:45,240
and platforms are having the same issue.
659

659

00:27:45,240  -->  00:27:46,710
<v ->Right, okay.</v>
660

660

00:27:46,710  -->  00:27:48,060
So, listen, for anybody out there
661

661

00:27:48,060  -->  00:27:51,720
who has experience working in PCI DSS, or HIPAA,
662

662

00:27:51,720  -->  00:27:53,250
or what have you, where you're trying
663

663

00:27:53,250  -->  00:27:54,083
to take a framework,
664

664

00:27:54,083  -->  00:27:57,720
and you're trying to get a legacy system
665

665

00:27:57,720  -->  00:27:59,640
to conform to it,
666

666

00:27:59,640  -->  00:28:01,020
well, if you come over to RMF,
667

667

00:28:01,020  -->  00:28:03,090
welcome to the party, because it sounds like (laughing)
668

668

00:28:03,090  -->  00:28:05,880
it's going to just be more of the same. (laughing)
669

669

00:28:05,880  -->  00:28:07,230
RMF does another thing too,
670

670

00:28:07,230  -->  00:28:09,270
which I thought was really interesting.
671

671

00:28:09,270  -->  00:28:10,103
You know, these days,
672

672

00:28:10,103  -->  00:28:12,450
we talk about advanced persistent threats,
673

673

00:28:12,450  -->  00:28:14,250
and we talk about zero trust,
674

674

00:28:14,250  -->  00:28:17,010
and those things really bring up this idea
675

675

00:28:17,010  -->  00:28:18,810
of assume breach, right?
676

676

00:28:18,810  -->  00:28:20,610
As a philosophy, right?
677

677

00:28:20,610  -->  00:28:22,980
Because, for so long, we've been in this mindset
678

678

00:28:22,980  -->  00:28:26,250
that we are assuming that a system is not breached,
679

679

00:28:26,250  -->  00:28:28,260
so we can build nice walls around it, right?
680

680

00:28:28,260  -->  00:28:29,880
And keep it pure,
681

681

00:28:29,880  -->  00:28:32,130
but we've realized that
682

682

00:28:32,130  -->  00:28:34,793
that's just not the way the world works anymore.
683

683

00:28:34,793  -->  00:28:36,907
But, during the show prep, you were saying,
684

684

00:28:36,907  -->  00:28:38,760
"Yeah, unfortunately, RMF,
685

685

00:28:38,760  -->  00:28:40,350
kind of, hasn't really caught up
686

686

00:28:40,350  -->  00:28:42,480
to the reality of assume breach."
687

687

00:28:42,480  -->  00:28:43,713
Did I get that right?
688

688

00:28:44,640  -->  00:28:45,750
<v ->Yes, yes.</v>
689

689

00:28:45,750  -->  00:28:46,800
So, it doesn't-
690

690

00:28:46,800  -->  00:28:49,200
It's not looking at advanced persistent threat.
691

691

00:28:49,200  -->  00:28:50,910
So, that's why, in the DOD,
692

692

00:28:50,910  -->  00:28:52,860
and not to throw us off track at all,
693

693

00:28:52,860  -->  00:28:54,570
but we are really starting
694

694

00:28:54,570  -->  00:28:59,454
to look at resiliency and survivability in our systems.
695

695

00:28:59,454  -->  00:29:00,287
<v ->And, and that's-</v>
696

696

00:29:00,287  -->  00:29:02,580
This cybersecurity framework is really designed
697

697

00:29:02,580  -->  00:29:06,480
around resilience, and I don't know
698

698

00:29:06,480  -->  00:29:09,960
that they ever used the term assume breach in there exactly,
699

699

00:29:09,960  -->  00:29:12,367
but they certainly do emphasize the fact that,
700

700

00:29:12,367  -->  00:29:14,670
you know, it's not all about prevention.
701

701

00:29:14,670  -->  00:29:17,430
That you have to detect, respond, and recover as well,
702

702

00:29:17,430  -->  00:29:19,620
and be prepared to do those things,
703

703

00:29:19,620  -->  00:29:21,180
and as fast as you can,
704

704

00:29:21,180  -->  00:29:22,740
because that really matters,
705

705

00:29:22,740  -->  00:29:26,160
in terms of being able to survive.
706

706

00:29:26,160  -->  00:29:28,980
Okay, so, (laughing) now we get to the part
707

707

00:29:28,980  -->  00:29:31,440
that we really were aiming at,
708

708

00:29:31,440  -->  00:29:33,090
which is eMASS, right?
709

709

00:29:33,090  -->  00:29:34,740
What is eMASS?
710

710

00:29:34,740  -->  00:29:35,820
Who should use it,
711

711

00:29:35,820  -->  00:29:37,800
and what are its limitations?
712

712

00:29:37,800  -->  00:29:39,750
What are the things that are really good about it?
713

713

00:29:39,750  -->  00:29:42,150
So, hi Rebecca, I'm new.
714

714

00:29:42,150  -->  00:29:43,173
What's eMASS?
715

715

00:29:44,490  -->  00:29:47,027
<v ->So, the first thing to understand about eMASS is</v>
716

716

00:29:47,027  -->  00:29:50,040
it is, what we, a call a government off-the-shelf.
717

717

00:29:50,040  -->  00:29:52,380
So, you can't go and buy it
718

718

00:29:52,380  -->  00:29:53,550
from a commercial vendor.
719

719

00:29:53,550  -->  00:29:58,550
It is developed for the DOD by DOD contractors,
720

720

00:29:59,190  -->  00:30:03,123
available to DOD users on DOD systems.
721

721

00:30:03,960  -->  00:30:05,550
So if you were, you know,
722

722

00:30:05,550  -->  00:30:09,120
an integrator or a small business trying to use eMASS,
723

723

00:30:09,120  -->  00:30:12,780
or, you know, learn, teach yourself how to use it,
724

724

00:30:12,780  -->  00:30:13,613
you can't do that.
725

725

00:30:13,613  -->  00:30:16,293
It has to be from a DOD network.
726

726

00:30:17,640  -->  00:30:20,220
And so, really, what it does is it helps walk you
727

727

00:30:20,220  -->  00:30:22,380
through the seven steps.
728

728

00:30:22,380  -->  00:30:25,050
So, you start by registering your system,
729

729

00:30:25,050  -->  00:30:29,356
and it's very access-control oriented.
730

730

00:30:29,356  -->  00:30:34,356
Restrictions are pretty tight around permissions.
731

731

00:30:34,410  -->  00:30:35,243
So, like right now,
732

732

00:30:35,243  -->  00:30:38,880
one of my organizations I work with is very small.
733

733

00:30:38,880  -->  00:30:40,410
There are two of us.
734

734

00:30:40,410  -->  00:30:43,573
And so, we have to get multiple roles in eMASS
735

735

00:30:43,573  -->  00:30:45,570
to be able to do all the jobs,
736

736

00:30:45,570  -->  00:30:48,270
to work the system through the process.
737

737

00:30:48,270  -->  00:30:50,310
<v ->So, are you having to log out and log back in,</v>
738

738

00:30:50,310  -->  00:30:52,230
depending on what step you're trying to accomplish?
739

739

00:30:52,230  -->  00:30:53,063
Is it that awkward?
740

740

00:30:53,063  -->  00:30:56,430
<v ->No, they're able to actually give you the permissions</v>
741

741

00:30:56,430  -->  00:30:58,638
under one account, thankfully.
742

742

00:30:58,638  -->  00:31:00,993
<v Kip>Oh, good.</v>
743

743

00:31:00,993  -->  00:31:02,610
<v ->But, it's very permission-based,</v>
744

744

00:31:02,610  -->  00:31:04,140
which it obviously should be, right?
745

745

00:31:04,140  -->  00:31:08,137
We're trying to prevent me from being able to say,
746

746

00:31:08,137  -->  00:31:10,170
"Oh, I'm doing this, you know,
747

747

00:31:10,170  -->  00:31:12,120
for this control, and I do it really well,
748

748

00:31:12,120  -->  00:31:14,640
and oh, let me just go ahead and assess myself."
749

749

00:31:14,640  -->  00:31:16,980
You know, you've got to have a separation of duty there.
750

750

00:31:16,980  -->  00:31:18,150
<v ->Right, right.</v>
751

751

00:31:18,150  -->  00:31:20,220
Yeah, listening to you talk about using eMASS
752

752

00:31:20,220  -->  00:31:21,960
when you were such a small organization,
753

753

00:31:21,960  -->  00:31:23,010
makes me think about,
754

754

00:31:24,030  -->  00:31:26,467
maybe like a two-person startup who says,
755

755

00:31:26,467  -->  00:31:29,457
"Let's use Salesforce for our CRM, you know, (laughing)
756

756

00:31:29,457  -->  00:31:31,441
and it's like, wait a minute.
757

757

00:31:31,441  -->  00:31:32,640
(Rebecca and Kip laughing)
758

758

00:31:32,640  -->  00:31:34,530
That's a highly scaled system,
759

759

00:31:34,530  -->  00:31:37,290
and probably not the best place for you to start.
760

760

00:31:37,290  -->  00:31:39,570
When I talk with mid-market companies
761

761

00:31:39,570  -->  00:31:42,540
about doing different things for the cybersecurity,
762

762

00:31:42,540  -->  00:31:43,657
sometimes they'll say to me,
763

763

00:31:43,657  -->  00:31:45,930
"Well, what if we get, you know, XYZ product,
764

764

00:31:45,930  -->  00:31:48,420
because that's very popular
765

765

00:31:48,420  -->  00:31:49,980
and all the big companies use it."
766

766

00:31:49,980  -->  00:31:53,730
And I say, "You know, I understand why you say that,
767

767

00:31:53,730  -->  00:31:57,660
but that's kind of like putting your 14-year-old son
768

768

00:31:57,660  -->  00:32:00,780
into his dad's suit and sending him off to, you know,
769

769

00:32:00,780  -->  00:32:02,190
the junior high dance.
770

770

00:32:02,190  -->  00:32:03,990
It's really not going to work.
771

771

00:32:03,990  -->  00:32:05,430
It's just, you know,
772

772

00:32:05,430  -->  00:32:08,190
that suit was never designed for such a small kid,
773

773

00:32:08,190  -->  00:32:11,940
and he's going to look silly, and worse yet,
774

774

00:32:11,940  -->  00:32:13,980
I mean, it can be so expensive
775

775

00:32:13,980  -->  00:32:16,080
to use something that's been sized
776

776

00:32:16,080  -->  00:32:18,840
beyond the scale that you're operating at."
777

777

00:32:18,840  -->  00:32:20,250
And so what I'm hearing is,
778

778

00:32:20,250  -->  00:32:21,540
is that if you're a small organization,
779

779

00:32:21,540  -->  00:32:23,670
eMASS can kind of feel like you're wearing,
780

780

00:32:23,670  -->  00:32:26,310
you know, too big of a dress. (laughing)
781

781

00:32:26,310  -->  00:32:29,190
<v ->Yeah. But on the other end, if you are-</v>
782

782

00:32:29,190  -->  00:32:31,830
So, we work a lot with system of systems.
783

783

00:32:31,830  -->  00:32:33,690
I don't know if you've ever talked about that
784

784

00:32:33,690  -->  00:32:34,920
in any of your podcasts.
785

785

00:32:34,920  -->  00:32:36,060
<v ->I haven't, we haven't.</v>
786

786

00:32:36,060  -->  00:32:38,190
Tell us what that is, please.
787

787

00:32:38,190  -->  00:32:39,023
<v ->So, a system of systems is,</v>
788

788

00:32:39,023  -->  00:32:40,200
if you think about,
789

789

00:32:40,200  -->  00:32:43,110
think about like Navy Ships, a good example, right?
790

790

00:32:43,110  -->  00:32:46,110
It is a system, the ship is a system in its own,
791

791

00:32:46,110  -->  00:32:49,830
but there are thousands of systems on that ship
792

792

00:32:49,830  -->  00:32:51,810
that have to work together.
793

793

00:32:51,810  -->  00:32:53,040
Some of them are standalone,
794

794

00:32:53,040  -->  00:32:54,390
some are working together,
795

795

00:32:54,390  -->  00:32:57,000
some are communicating back home.
796

796

00:32:57,000  -->  00:32:59,340
But that is what we call a system of systems.
797

797

00:32:59,340  -->  00:33:00,720
These all have to work together.
798

798

00:33:00,720  -->  00:33:03,360
So, eMASS doesn't do a great job
799

799

00:33:03,360  -->  00:33:06,630
of looking at risk across that entire enterprise,
800

800

00:33:06,630  -->  00:33:08,490
a system of systems, either.
801

801

00:33:08,490  -->  00:33:12,540
So, it's really right in that mid-level development size
802

802

00:33:12,540  -->  00:33:15,120
of system that works really well in.
803

803

00:33:15,120  -->  00:33:16,530
<v ->Interesting, okay, yeah.</v>
804

804

00:33:16,530  -->  00:33:19,627
So, in my brain, I think of like subsystems, right?
805

805

00:33:19,627  -->  00:33:22,380
You know, 'cause you can't really operate a ship
806

806

00:33:22,380  -->  00:33:23,880
without all these subsystems
807

807

00:33:23,880  -->  00:33:25,770
and, kind of, how they integrate with each other.
808

808

00:33:25,770  -->  00:33:27,180
You know, if Jason Dion was here,
809

809

00:33:27,180  -->  00:33:28,440
he'd be all over this,
810

810

00:33:28,440  -->  00:33:31,650
because, as a person who was just retired from the Navy,
811

811

00:33:31,650  -->  00:33:34,740
he could probably tell us all kinds of really cool stories
812

812

00:33:34,740  -->  00:33:37,050
about, you know, how subsystems on ships
813

813

00:33:37,050  -->  00:33:40,710
don't work the way they're supposed to, or what have you.
814

814

00:33:40,710  -->  00:33:41,910
But, let's get back to eMASS.
815

815

00:33:41,910  -->  00:33:43,740
So, okay, so what I'm hearing is
816

816

00:33:43,740  -->  00:33:47,070
eMASS is not something you can buy without a prescription.
817

817

00:33:47,070  -->  00:33:50,910
And I'm hearing that eMASS is like kind of complicated,
818

818

00:33:50,910  -->  00:33:55,140
and a little difficult to kind of get your arms around,
819

819

00:33:55,140  -->  00:33:57,840
and that the only way you're going to get into eMASS is
820

820

00:33:57,840  -->  00:34:02,760
if you apply to somebody in the government, right?
821

821

00:34:02,760  -->  00:34:04,230
To issue you an account.
822

822

00:34:04,230  -->  00:34:05,730
And they probably won't do that
823

823

00:34:05,730  -->  00:34:07,800
unless you've got some kind of contract you're working on.
824

824

00:34:07,800  -->  00:34:09,420
Is that about right?
825

825

00:34:09,420  -->  00:34:12,319
<v ->Yes, and typically you have to have a DOD CAC.</v>
826

826

00:34:12,319  -->  00:34:13,830
So, it is CAC.
827

827

00:34:13,830  -->  00:34:14,663
<v ->Okay.</v>
828

828

00:34:14,663  -->  00:34:18,018
And that's a common access, how do-
829

829

00:34:18,018  -->  00:34:19,410
<v Rebecca>Card.</v>
830

830

00:34:19,410  -->  00:34:20,720
<v ->Okay, common access card, right.</v>
831

831

00:34:20,720  -->  00:34:23,730
So that's like a smart card, is it not?
832

832

00:34:23,730  -->  00:34:24,720
<v Rebecca>It is.</v>
833

833

00:34:24,720  -->  00:34:25,553
<v ->When I-</v>
834

834

00:34:25,553  -->  00:34:27,990
They didn't have these things when I was on active duty,
835

835

00:34:27,990  -->  00:34:28,950
so I've heard about them,
836

836

00:34:28,950  -->  00:34:30,510
but I've never actually had one.
837

837

00:34:30,510  -->  00:34:33,270
And is eMASS web-based or is it like a piece
838

838

00:34:33,270  -->  00:34:36,180
of software you install on your local computer?
839

839

00:34:36,180  -->  00:34:37,600
<v ->It is a web-based app, yep.</v>
840

840

00:34:37,600  -->  00:34:39,630
<v ->Okay, okay, got that.</v>
841

841

00:34:39,630  -->  00:34:41,520
Okay, cool.
842

842

00:34:41,520  -->  00:34:43,890
And now, what else about using eMASS?
843

843

00:34:43,890  -->  00:34:46,980
I mean, are there any, in your experience,
844

844

00:34:46,980  -->  00:34:49,980
any particular gotchas, or tips, or tricks?
845

845

00:34:49,980  -->  00:34:52,530
I mean, like again, hi Rebecca, I new,
846

846

00:34:52,530  -->  00:34:54,480
I'm using eMASS for the first time.
847

847

00:34:54,480  -->  00:34:55,313
What should I know?
848

848

00:34:55,313  -->  00:34:58,643
What else would you tell me so I can be successful?
849

849

00:34:58,643  -->  00:35:01,830
<v ->So, it's going to depend on when you come in</v>
850

850

00:35:01,830  -->  00:35:03,840
and the life cycle of your system.
851

851

00:35:03,840  -->  00:35:05,880
So, if you come in new to an organization,
852

852

00:35:05,880  -->  00:35:09,690
and all of their systems are already built in eMASS,
853

853

00:35:09,690  -->  00:35:13,080
you're just, let's say you already have an ATO,
854

854

00:35:13,080  -->  00:35:15,840
you'll be working on continuous monitoring.
855

855

00:35:15,840  -->  00:35:17,250
So, there are requirements
856

856

00:35:17,250  -->  00:35:18,930
to review the security controls
857

857

00:35:18,930  -->  00:35:21,000
at a scripted time.
858

858

00:35:21,000  -->  00:35:22,830
So, let's say, every three years you're required
859

859

00:35:22,830  -->  00:35:24,450
to review your security policies.
860

860

00:35:24,450  -->  00:35:25,680
Every year, you're required
861

861

00:35:25,680  -->  00:35:29,427
to review your access control rosters.
862

862

00:35:29,427  -->  00:35:31,800
So, in eMASS, we actually go in there
863

863

00:35:31,800  -->  00:35:34,980
and validate that we review those.
864

864

00:35:34,980  -->  00:35:37,590
But, if you're building a new system in eMASS,
865

865

00:35:37,590  -->  00:35:40,200
you have to request the access,
866

866

00:35:40,200  -->  00:35:41,700
you've got to have somebody
867

867

00:35:41,700  -->  00:35:44,370
build the initial system for you.
868

868

00:35:44,370  -->  00:35:46,620
So, let's say, you know, you have your system is,
869

869

00:35:46,620  -->  00:35:48,480
you know, whatever you want to call it, you know,
870

870

00:35:48,480  -->  00:35:50,253
New DOD System 2.
871

871

00:35:51,300  -->  00:35:55,080
And then, you sit down and you categorize the system
872

872

00:35:55,080  -->  00:35:56,220
and tailor it in there,
873

873

00:35:56,220  -->  00:35:58,500
and then that gets approved.
874

874

00:35:58,500  -->  00:35:59,520
And so, once your,
875

875

00:35:59,520  -->  00:36:01,500
we call it your security controls baseline,
876

876

00:36:01,500  -->  00:36:04,080
tailored, once that's been approved,
877

877

00:36:04,080  -->  00:36:04,913
then you actually-
878

878

00:36:04,913  -->  00:36:08,220
Then the work starts, the implementation, right?
879

879

00:36:08,220  -->  00:36:10,380
So you've got to write security policies,
880

880

00:36:10,380  -->  00:36:12,750
you've got to add SOPs and TTPs,
881

881

00:36:12,750  -->  00:36:15,210
you've got to, what we refer to as,
882

882

00:36:15,210  -->  00:36:18,447
harden the system, or utilize the STIGs,
883

883

00:36:18,447  -->  00:36:21,870
the security technical implementation guides.
884

884

00:36:21,870  -->  00:36:24,810
So, you got to have a software and hardware baseline,
885

885

00:36:24,810  -->  00:36:27,390
and you put that into eMASS, actually.
886

886

00:36:27,390  -->  00:36:29,309
You will actually put in there,
887

887

00:36:29,309  -->  00:36:32,562
you know, I'm using, you know, this Dell version,
888

888

00:36:32,562  -->  00:36:36,030
this model, this is the OS that's running on it,
889

889

00:36:36,030  -->  00:36:38,820
this is the path level the OS is on.
890

890

00:36:38,820  -->  00:36:40,892
You put all of that information in there,
891

891

00:36:40,892  -->  00:36:43,020
and you start to build your hardware and software list.
892

892

00:36:43,020  -->  00:36:46,717
You'll build what they call the authorization boundary.
893

893

00:36:46,717  -->  00:36:47,550
<v ->Okay.</v>
894

894

00:36:47,550  -->  00:36:49,500
<v ->So, you have to actually say,</v>
895

895

00:36:49,500  -->  00:36:53,190
here's all the components, hardware, software, firmware.
896

896

00:36:53,190  -->  00:36:54,330
Here's how they're connecting.
897

897

00:36:54,330  -->  00:36:55,983
Here's all my ports I'm using.
898

898

00:36:56,880  -->  00:36:58,440
Here's all the protocols we're using.
899

899

00:36:58,440  -->  00:36:59,700
<v ->Wow.</v>
900

900

00:36:59,700  -->  00:37:01,350
<v ->So, all of this data</v>
901

901

00:37:01,350  -->  00:37:04,740
that supports the system security plan
902

902

00:37:04,740  -->  00:37:06,630
goes into eMASS, and you're essentially
903

903

00:37:06,630  -->  00:37:09,060
building your system security plan in eMASS.
904

904

00:37:09,060  -->  00:37:10,440
<v ->And this also sounds like</v>
905

905

00:37:10,440  -->  00:37:12,900
a really heavy-duty configuration control
906

906

00:37:12,900  -->  00:37:14,160
sort of an approach too, right?
907

907

00:37:14,160  -->  00:37:16,500
Because I'm hearing you say, like you're putting, you know,
908

908

00:37:16,500  -->  00:37:18,960
all these component items in there,
909

909

00:37:18,960  -->  00:37:21,030
down to the patch level,
910

910

00:37:21,030  -->  00:37:22,470
and getting this all in,
911

911

00:37:22,470  -->  00:37:24,690
and I can see why that would be an advantage,
912

912

00:37:24,690  -->  00:37:27,090
but I'm also just sort of fatigued
913

913

00:37:27,090  -->  00:37:28,710
just thinking about, you know, (laughing)
914

914

00:37:28,710  -->  00:37:30,510
all of all of the information
915

915

00:37:30,510  -->  00:37:33,390
that I'm going to have to, you know, pound into eMASS.
916

916

00:37:33,390  -->  00:37:34,860
So, fascinating.
917

917

00:37:34,860  -->  00:37:36,780
Well then, that actually brings up a question
918

918

00:37:36,780  -->  00:37:37,860
that I wanted to ask you
919

919

00:37:37,860  -->  00:37:39,360
as we get to the end of our episode today,
920

920

00:37:39,360  -->  00:37:41,550
which is, is there any risks
921

921

00:37:41,550  -->  00:37:44,043
to using eMASS to manage risks?
922

922

00:37:45,930  -->  00:37:49,540
<v ->The number one concern right now, okay,</v>
923

923

00:37:49,540  -->  00:37:52,860
now, I'm putting all of my systems,
924

924

00:37:52,860  -->  00:37:54,870
all of the software,
925

925

00:37:54,870  -->  00:37:57,780
the versions, IP addresses,
926

926

00:37:57,780  -->  00:38:01,470
boundary diagrams, ports, protocols, services,
927

927

00:38:01,470  -->  00:38:03,420
how I'm a authenticating my users,
928

928

00:38:03,420  -->  00:38:04,710
my encryption type.
929

929

00:38:04,710  -->  00:38:07,200
Uploading every single design and system security
930

930

00:38:07,200  -->  00:38:12,200
engineering aspect into one web-based application,
931

931

00:38:12,466  -->  00:38:15,780
which in itself has some vulnerabilities, right?
932

932

00:38:15,780  -->  00:38:16,893
That it's web-based.
933

933

00:38:18,030  -->  00:38:21,120
Now, you want me to put all of that together,
934

934

00:38:21,120  -->  00:38:23,313
along with everyone else's stuff,
935

935

00:38:24,180  -->  00:38:27,810
and really, you have built a treasure chest
936

936

00:38:27,810  -->  00:38:29,980
for the adversary to get you.
937

937

00:38:29,980  -->  00:38:34,890
It is a crown jewel with that piece of software on the web.
938

938

00:38:34,890  -->  00:38:36,390
<v ->Right, huh, I wonder</v>
939

939

00:38:36,390  -->  00:38:40,620
if anybody used eMASS to assess eMASS? (laughing)
940

940

00:38:40,620  -->  00:38:42,597
<v ->I do know it has an ATO. (laughing)</v>
941

941

00:38:42,597  -->  00:38:45,409
<v ->Oh, well that's good. (laughing)</v>
942

942

00:38:45,409  -->  00:38:48,000
Okay, so that's eMASS.
943

943

00:38:48,000  -->  00:38:49,410
Just a quick question,
944

944

00:38:49,410  -->  00:38:53,400
are there other ways that you can automate RMF,
945

945

00:38:53,400  -->  00:38:55,080
or just make it easier for yourself,
946

946

00:38:55,080  -->  00:38:56,253
other than eMASS?
947

947

00:38:57,191  -->  00:38:59,940
<v ->So, Exacto is one of the tools</v>
948

948

00:38:59,940  -->  00:39:02,470
that you'll see being used across the DOD.
949

949

00:39:03,495  -->  00:39:05,790
The federal side has their own tools.
950

950

00:39:05,790  -->  00:39:09,460
So, they have CCM, could not tell you what it stands for.
951

951

00:39:09,460  -->  00:39:10,830
<v ->Okay.</v>
952

952

00:39:10,830  -->  00:39:13,050
<v ->So, and then some organizations develop</v>
953

953

00:39:13,050  -->  00:39:15,930
their own internal systems,
954

954

00:39:15,930  -->  00:39:20,133
where they'll use things like SharePoint.
955

955

00:39:21,360  -->  00:39:24,780
I've seen, you know, custom-build workflow processes.
956

956

00:39:24,780  -->  00:39:26,760
I've seen CRM be leveraged
957

957

00:39:26,760  -->  00:39:29,580
to build a workload process for this.
958

958

00:39:29,580  -->  00:39:31,950
<v ->Okay, so eMASS is really optional then,</v>
959

959

00:39:31,950  -->  00:39:33,900
is what I'm hearing,
960

960

00:39:33,900  -->  00:39:35,310
that there's other, you know,
961

961

00:39:35,310  -->  00:39:38,250
that RMF doesn't require you to use eMASS,
962

962

00:39:38,250  -->  00:39:39,360
and that you can sort of bring
963

963

00:39:39,360  -->  00:39:42,150
whatever automation you'd like to the party.
964

964

00:39:42,150  -->  00:39:43,740
Is that right?
965

965

00:39:43,740  -->  00:39:46,042
<v ->Well, that was correct.</v>
966

966

00:39:46,042  -->  00:39:48,360
Now it's starting,
<v ->Oh-oh. (laughing)</v>
967

967

00:39:48,360  -->  00:39:52,140
Now, more services are starting to require it.
968

968

00:39:52,140  -->  00:39:55,203
So, across the Air Force, Army, Navy, Marine Corps.
969

969

00:39:56,100  -->  00:39:57,300
like I mentioned, you know,
970

970

00:39:57,300  -->  00:40:01,530
RMF is an interpretable process,
971

971

00:40:01,530  -->  00:40:06,300
so every community has kind of decided
972

972

00:40:06,300  -->  00:40:08,610
what tools and which processes they're going to use.
973

973

00:40:08,610  -->  00:40:11,539
eMASS is just DOD-funded tool,
974

974

00:40:11,539  -->  00:40:15,480
and I do have a couple organizations I work with now,
975

975

00:40:15,480  -->  00:40:16,890
who don't use eMASS,
976

976

00:40:16,890  -->  00:40:19,499
but they have been mandated to move to it,
977

977

00:40:19,499  -->  00:40:20,760
and they are on a large initiative
978

978

00:40:20,760  -->  00:40:22,680
to move everything over to eMASS,
979

979

00:40:22,680  -->  00:40:24,690
and they're very nervous about.
980

980

00:40:24,690  -->  00:40:25,770
<v ->Oh, okay, okay.</v>
981

981

00:40:25,770  -->  00:40:27,330
And probably in a couple of years,
982

982

00:40:27,330  -->  00:40:29,790
we'll be talking about, you know,
983

983

00:40:29,790  -->  00:40:33,060
how everyone's using eMASS now, and you know,
984

984

00:40:33,060  -->  00:40:34,200
different sets of problems.
985

985

00:40:34,200  -->  00:40:35,033
So this really-
986

986

00:40:35,033  -->  00:40:36,420
The whole thing just really strikes me
987

987

00:40:36,420  -->  00:40:38,170
as a bit of a moving target, right?
988

988

00:40:39,120  -->  00:40:42,300
<v ->It's been moving for 20 years, so. (laughing)</v>
989

989

00:40:42,300  -->  00:40:44,400
<v ->Well, welcome to cybersecurity. (laughing)</v>
990

990

00:40:44,400  -->  00:40:45,233
'Cause that's just sort of
991

991

00:40:45,233  -->  00:40:46,830
the nature of the beast, isn't it?
992

992

00:40:46,830  -->  00:40:49,620
Everything is always moving.
993

993

00:40:49,620  -->  00:40:50,940
Well, we're running out of time.
994

994

00:40:50,940  -->  00:40:52,860
Rebecca, this has been a fantastic conversation,
995

995

00:40:52,860  -->  00:40:54,750
and I'm, again, really thankful
996

996

00:40:54,750  -->  00:40:57,180
that you've decided to spend
997

997

00:40:57,180  -->  00:40:59,977
some of your valuable time talking with me today,
998

998

00:40:59,977  -->  00:41:01,740
recording this episode,
999

999

00:41:01,740  -->  00:41:05,520
so that people can benefit from your experience.
1000

1000

00:41:05,520  -->  00:41:07,530
Is there anything else you want to share?
1001

1001

00:41:07,530  -->  00:41:11,013
Just like a final word before we wrap up?
1002

1002

00:41:12,480  -->  00:41:15,690
<v ->My biggest thing, when it comes to cybersecurity,</v>
1003

1003

00:41:15,690  -->  00:41:19,656
RMF in the DOD, is really, you know,
1004

1004

00:41:19,656  -->  00:41:22,350
do good system security engineering.
1005

1005

00:41:22,350  -->  00:41:23,700
Think through problems,
1006

1006

00:41:23,700  -->  00:41:25,440
do risk assessments,
1007

1007

00:41:25,440  -->  00:41:27,810
document the outcomes, and be honest,
1008

1008

00:41:27,810  -->  00:41:31,290
so our leadership can make the best decisions
1009

1009

00:41:31,290  -->  00:41:32,937
for their community,
1010

1010

00:41:32,937  -->  00:41:36,630
and we've really got to start looking,
1011

1011

00:41:36,630  -->  00:41:38,670
one, at training people better,
1012

1012

00:41:38,670  -->  00:41:41,940
and two, making your mission-focused decisions
1013

1013

00:41:41,940  -->  00:41:44,310
when it comes to cybersecurity
1014

1014

00:41:44,310  -->  00:41:46,380
and risk management in the DOD.
1015

1015

00:41:46,380  -->  00:41:47,700
<v ->So, putting the mission first,</v>
1016

1016

00:41:47,700  -->  00:41:49,590
and putting RMF and all these other things
1017

1017

00:41:49,590  -->  00:41:51,810
in a supporting role,
1018

1018

00:41:51,810  -->  00:41:54,870
not making them the point of the work that we do.
1019

1019

00:41:54,870  -->  00:41:56,550
I absolutely agree with that.
1020

1020

00:41:56,550  -->  00:41:59,502
Rebecca, if anybody wanted to contact you,
1021

1021

00:41:59,502  -->  00:42:01,350
after they listen to this episode,
1022

1022

00:42:01,350  -->  00:42:02,183
would that be okay?
1023

1023

00:42:02,183  -->  00:42:04,440
And how would you like them to do that?
1024

1024

00:42:04,440  -->  00:42:06,420
<v ->Absolutely, and you can email me,</v>
1025

1025

00:42:06,420  -->  00:42:11,250
it's Becca, Becca@ICyberI.com,
1026

1026

00:42:11,250  -->  00:42:12,993
International Cyber Institute.
1027

1027

00:42:13,890  -->  00:42:14,790
That's probably the best way
1028

1028

00:42:14,790  -->  00:42:16,682
to get ahold of me, is by email.
1029

1029

00:42:16,682  -->  00:42:18,150
<v ->Okay, and that's the name of your organization</v>
1030

1030

00:42:18,150  -->  00:42:19,470
that you started, right?
1031

1031

00:42:19,470  -->  00:42:20,517
<v ->That's correct, yes.</v>
1032

1032

00:42:20,517  -->  00:42:22,170
<v ->Ah, I just think that's fantastic.</v>
1033

1033

00:42:22,170  -->  00:42:24,060
I love, as a small business owner,
1034

1034

00:42:24,060  -->  00:42:25,590
I love meeting and talking
1035

1035

00:42:25,590  -->  00:42:26,820
to other small business owners.
1036

1036

00:42:26,820  -->  00:42:29,130
So, thank you so much Rebecca.
1037

1037

00:42:29,130  -->  00:42:30,630
You know, everybody,
1038

1038

00:42:30,630  -->  00:42:33,120
as with every episode that we create,
1039

1039

00:42:33,120  -->  00:42:35,190
you can access a full transcript
1040

1040

00:42:35,190  -->  00:42:37,380
of everything we talked about right on our website.
1041

1041

00:42:37,380  -->  00:42:41,760
All you have to do is put www.yourcyberpath.com,
1042

1042

00:42:41,760  -->  00:42:43,860
forward slash, and then just put the episode number.
1043

1043

00:42:43,860  -->  00:42:45,235
This is episode 83.
1044

1044

00:42:45,235  -->  00:42:47,190
Just put 83 in your favorite web browser,
1045

1045

00:42:47,190  -->  00:42:48,300
and then, you'll be able
1046

1046

00:42:48,300  -->  00:42:51,900
to actually pull up the page dedicated to this episode
1047

1047

00:42:51,900  -->  00:42:53,400
and access all the show notes
1048

1048

00:42:53,400  -->  00:42:55,830
and all of the transcript.
1049

1049

00:42:55,830  -->  00:42:57,330
It's a complete transcript.
1050

1050

00:42:57,330  -->  00:42:59,610
You can also sign up for my mentor notes.
1051

1051

00:42:59,610  -->  00:43:01,170
Now, if you don't know what mentor notes are,
1052

1052

00:43:01,170  -->  00:43:03,645
every two weeks, I send out an email.
1053

1053

00:43:03,645  -->  00:43:06,570
About 500 words, and I just tell you
1054

1054

00:43:06,570  -->  00:43:08,160
something that's going on,
1055

1055

00:43:08,160  -->  00:43:10,290
for those of you trying to get into cybersecurity.
1056

1056

00:43:10,290  -->  00:43:12,570
Something that's going on that I think will help you.
1057

1057

00:43:12,570  -->  00:43:15,840
And so, I focus on being very short,
1058

1058

00:43:15,840  -->  00:43:17,340
to-the-point, and practical.
1059

1059

00:43:17,340  -->  00:43:18,240
Listen, give it a try.
1060

1060

00:43:18,240  -->  00:43:19,650
You can unsubscribe any time.
1061

1061

00:43:19,650  -->  00:43:21,090
There's no trouble with that.
1062

1062

00:43:21,090  -->  00:43:22,860
If you go to yourcyberpath.com,
1063

1063

00:43:22,860  -->  00:43:24,593
you'll find the sign up there.
1064

1064

00:43:24,593  -->  00:43:26,670
Like I said, give it a try.
1065

1065

00:43:26,670  -->  00:43:28,530
But in any event, we're happy you were here.
1066

1066

00:43:28,530  -->  00:43:29,880
Thanks for listening.
1067

1067

00:43:29,880  -->  00:43:32,423
We're going to see you next time on Your Cyber Path.