Risk Management Framework (RMF)

Transition

Operation Triton Bastion (OTB) OPORD 19-058

FCC NAO Distribution List:

FCC_C10F_SUFF_NAO_RMF_CAMPAIGN_PLAN@NAVY.

MIL

Additional information is accessible via the Fleet Cyber

Command Operation Triton Bastion Portal:

URL— https://usff.navy.deps.mil/sites/fcc-c10f/NAO/

SitePages/RMF%20Campaign%20Plan.aspx

U.S. FLEET CYBER COMMAND MISSION

The mission of Fleet Cyber Command is to plan,

coordinate, integrate, synchronize, direct, and

conduct full spectrum of cyberspace operational

activities required to ensure freedom of action across

all of the Navy’s warfighting domains in, through, and

from cyberspace, and to deny the same to the Navy’s

adversaries.

"Understanding and knowing our DoDIN is a must

do in order to C2, operate, defend, configure, and

maneuver in and throughout CYBERSPACE.”… “If

you don’t know what you have to operate, then how

can you know what you actually have to defend?”

Mr. Manuel Hermosilla, SES

Executive Director, Fleet Cyber Command/C10F

CONTACT US

The Risk Management Framework (RMF) for the

Department of Defense (DoD) Information

Technology (IT) mandates the management of

cybersecurity risk across the enterprise through the

adaptation of the National Institute of Standards

and Technology (NIST). RMF uses a risk-based

cybersecurity approach for enterprise-level

authorization of IT systems and services. New

acquisitions should be in alignment with DoD

Acquisition phasing and informed by the RMF to

ensure cyber readiness from the start.

RMF provides three (3) significant improvements to

how the Navy manages cybersecurity risk. First, it

incorporates cybersecurity capabilities early in the

design of a system’s capability. Second, it increases

the emphasis on continuous monitoring of security

controls during a system’s life cycle. Third, it brings

the Navy’s platform IT, combat systems and indus-

trial control systems under the same procedures.

WHY IS RMF IMPORTANT WHAT IS THE DESIRED END STATE

Accomplishing the objectives and lines of efforts will

require Navy-wide focus. They Navy is counting on

Echelon II and system owners to take responsibility,

accountability, and authority to move the campaign

plan forward and meet the Navy’s goal to transition to

RMF by December 2020. The RMF cybersecurity focus

which is integrated throughout a systems life cycle

enables a common risk lexicon, common cybersecurity

framework, and improved cybersecurity readiness

through alignment of RMF Steps with DoD acquisition

activities. Navy working groups are meeting to continue

to refine processes and smooth RMF transition.

The Department of Defense (DoD) requires all services

to transition from the DoD Information Assurance

Certification and Accreditation (DIACAP) to the Risk

Management Framework (RMF) by 31 December 2020.

This effort is intended to reduce the Commander’s un-

certainty in the Navy’s cybersecurity posture while

meeting statutory and policy requirements of RMF.

Through the RMF Campaign Plan, Fleet Cyber Command

(FCC) issued an Operational Order (OPORD) - Operation

Triton Bastion (OTB), due to the need to speed the

completion of the RMF transition. It’s purpose is to

transition all existing DIACAP authorizations to RMF by

December 2020. The operation execution efforts will

drive increased data collection and metrics to measure

progress. There are various Tiger Teams chartered to

develop and implement process improvements as

required to assist stakeholders with initial RMF transi-

tion and follow-on activities.

"Risk Management Framework is Operational Risk

Management (ORM) for Cyber Security.”

Dr. Charles Kiriakou

Fleet Cyber Command Navy Authorizing Official

Through this effort, it will allow us to align the Navy

with DoD policy and processes using a common lexicon,

implementing continuous monitoring to be better

positioned to understand and manage cybersecurity

risk. Cybersecurity integration will result in more

dependable and resilient trustworthy systems that will

significantly increase the Department of Navy’s (DON’s)

ability to protect, detect, react, and restore system

operability, even when under attack from a capable

cyber-adversary.

WHAT IS OPERATION TRITON BASTION This operation to transition to RMF will address three (3)

Focus Areas, with eight (8) Lines of Efforts (LOEs) and exe-

cuted in three (3) Phases (planning, transition execution,

and validate and assess).

WHY IS OTB IMPORTANT

"When it comes to setting the Navy’s cyberspace theater, our

NAO provides us the first outlook into our cybersecurity

posture, and our Office of Compliance and Assessment (OCA)

ensures the first look is accurate.”

Vice Adm. Timothy “T.J.” White

Commander, U.S Fleet Cyber Command/U.S. Tenth Fleet

WHY IS RMF IMPORTANT

UC 1 New DIACAP Certification (CD) – (Issued after 1 Oct 2016)

- Granted an initial DIACAP ATO up-to 18 months to migrate to RMF - Upon conversion, granted up-to 18 months to complete full RMF

UC 2 Existing DIACAP ATO with less than 3 years remaining – (Issued before 30 Sep 2016)

- Upon conversion, granted additional 6 months on DIACAP ATD to complete full RMF. Sunset as of September 30th, 2019

UC 3 For CAR or HREAG with outstanding vulnerabilities pre-venting issuance of full 3 year RMF ATO

- Upon completion of RBC requirements, system will receive an RMF ATO (RMF ATO with Conditions for High/Very High Risk) - Length of bridge authorization is based on the understanding of risk not to exceed 12 months

UC 4 Use of assessed and certified risk of a DIACAP submission to issue an RMF vice DIACAP ATO

- Authorization may be issued up-to 12 months unless there is High or Very High Residual risk; HREAG will determine duration of authoriza-tion with conditions - For Afloat units, refer to RMF Transition Afloat Way Forward NAVADMIN 197/19 (DTG 231550Z AUG 19)

UC 5 Current DIACAP C&A Authorization or new RMF A&A

- Open to wide variety of participants; based on a set of critical secu-rity controls implemented using an overlay in eMASS - Engaged in DIACAP activities but have not submitted assessment artifacts to the SCA - Engaged in RMF authorization activities but have not completed RMF Step 2 Security Plan approval process Using the Use Case 5 overlay will overwrite previous security control

selections and security control select

UC 6 Facilitate transition of information system (IS) to RMF

- Engaged in DIACAP activities that have submitted validation results/artifacts to the NAO/SCA for review - IS will receive an RMF Security Assessment Report (SAR) vice a Certification Determination (CD) and be granted an RMF ATO

OBJECTIVES AND LINES OF EFFORTS RMF OFF-RAMPS (ROR) The NAO is assisting with fast-tracking transitions through

the issuance of RBC Use Cases via the RMF Process. The

RBC process provides six (6) “off-ramps” to transition to

RMF and leverages a valid DIACAP authorization to give

credit for work that has been completed.