The key to progress may lie in modern DevOps methodologies
COLORADO SPRINGS, Colorado, March 9, 2018 – C-TRAC, the Center for Technology, Research and Commercialization, is seeking industry partners for the CyberWorx #RMFNext week-long design sprint, planned for April 9 through 13, 2018 at the United States Air Force Academy.
CyberWorx educates airmen while simultaneously partnering with industry to solve cyber problems facing our nation. Design thinking – a structured framework for understanding and pursuing innovation in ways that encourage outside-the-box thinking – is featured prominently in the CyberWorx process.
The Center for Technology, Research and Commercialization (www.c-trac.org), located at the Catalyst Campus in downtown Colorado Springs, is a Colorado 501(c)(3) nonprofit organization that supports CyberWorx by collaborating to build a dynamic, diverse group of industry participants and assisting with project management.
The #RMFNext week-long design sprint is intended to answer the following design challenge: “How might we accelerate the implementation of the Risk Management Framework (RMF) to a velocity more compatible with warfighter needs and modern DevOps methods for federal information systems including IT, OT, and Platform IT?”
The Risk Management Framework is a unified information security framework for the entire federal government. It includes a process for integrating essential security and risk management activities into the development life cycle of critical information systems. There are established steps to ensuring the proper management of security risks inherent to any information system, according to NIST (the National Institute of Standards and Technology). Implementing these steps while developing a project mitigates the necessity for later review and modification in accordance with current Certification and Accreditation (C&A) Processes used to manage risk in already fully-developed systems.
This more agile approach to risk management is preferred because it is dynamic and flexible, according to documents published by the Defense Security Service (1), the agency charged with overseeing the protection of US and foreign classified information in the hands of industry. The greatest benefit of the new approach, beyond minimizing risk, is to streamline and speed up the entire process of managing the risks inherent in any development project.
The CyberWorx #RMFNext week-long design sprint, very specifically, aims to provide a better way for mission owners to effectively manage risk, make risk-informed cybersecurity investment decisions, and protect the crown jewels that enable successful execution of their core missions at modern cyber-velocities. The deliverable of this effort is to design best options for implementation of NIST 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
Matt Lira, special assistant to the President for innovation, policy and initiatives, was quoted in NexGov as saying, “Each of these [government] institutions and the people that comprise them have in their hands the hopes and dreams of millions of people who count on them for something…. We have the opportunity at the intersection between technology and public policy to wow them and do something transformative: to deliver quality services securely using the latest technology.”(2)
Industry members and academic leaders who wish to contribute to this week-long design sprint are encouraged to begin the process by submitting an application at c-trac.org/cyberworx or contacting the Center for Technology, Research and Commercialization (C-TRAC) at firstname.lastname@example.org with any questions about the sprint. Benefits of participating include interfacing with Air Force leaders and stakeholders, building relationships and partnerships with other commercial industry, and providing recommendations for applying commercial products and solutions to the Air Force enterprise.
C-TRAC is looking for industry partners to bring their experience and expertise in risk-based decision-making in organizational information systems to participate in a design sprint collaborating with operational users. Industry partner experience should support their core missions and business functions and focus on implementation and integration of information security into the enterprise architecture and system development life cycle.
2. Konkel, F. (2017, September 19). “Trump's Tech Team Wants to ‘Wow’ Public,” NexGov. Available online: http://www.nextgov.com/cio-briefing/2017/09/trumps-tech-team-wants-wow-public/141128/