BY LON J. BERMAN, CISSP, RDRP JULY 2023, VOLUME 15, ISSUE 3
When it comes to the future of RMF, rumors abound but truth is hard to come by. In this article, we’ll take a look at some of the speculations and see if there’s any truth to them.
Let’s start with an oldie. “DoD will abandon RMF and develop their own information security framework.” This one’s been around for quite some time and, quite frankly, there is no truth whatsoever to it. DoD is firmly established within the Joint Task Force and has agreed to move in lock step with the federal civil agencies and the intelligence community. The only way a new information security framework would come into being is if all federal departments and agencies agreed to it – an extremely unlikely occurrence.
“RMF will be replaced by the NIST Cybersecurity Framework (CSF).” There has been some recent “buzz” over CSF, with NIST actively working on a new version of this framework. CSF was conceived as a voluntary framework for use by critical infrastructure industries such as transportation and telecommunications. While CSF does have some applicability to government information systems, it was never intended to replace RMF, and that has not changed.
“RMF will be fully automated.” For those of us struggling to put together RMF packages, this is a lovely thought, but it is just not feasible. RMF encompasses three classes of security controls, to wit: Management, Operational and Technical. Automation may be able to be leveraged to maintain compliance with technical controls (e.g., configuration settings of system software), but automating management and operational controls remains a bridge too far.
“Artificial Intelligence (AI) will make RMF obsolete.” AI may well be used to assist in various aspects of the RMF process, such as document preparation, but even in the most optimistic scenario, this would fall far short of rendering RMF “obsolete”.
“The number of NIST SP 800-53 security controls will be vastly reduced.” I’ve read this one in a few places over the years, but there does not appear to be any factual basis for it. If anything, the number of security controls in NIST SP 800-53 seems to be increasing, e.g., the addition of Privacy and Supply Chain controls in the 800-53 Rev 5.
“eMASS will be replaced by a new tool.” There may actually be a grain of truth in this one. DoD spends a lot of money each year maintaining eMASS and they have been desperately looking for a way of reducing this expenditure. One possible way would be to find a commercial tool that could be configured to do what eMASS does today. It seems unlikely such a tool exists, and, even if one was found, it’s not at all clear that purchasing/licensing the tool and then configuring or customizing it would end up being any less costly. Nevertheless, this is probably one that bears watching over the coming year.
“DISA STIGs are going away.” This one may have come about because of the funding issues surrounding the DoD SCAP Compliance Checker (SCC) tool. That’s a long story and I won’t go into the details here, but suffice it to say it has nothing whatever to do with the STIGs themselves. To the best of anyone’s knowledge, STIGs are alive and well and the local economy of Chambersburg, PA is safe for the foreseeable future.