New DoD Approach to Risk Management in Space
The DoD is currently completing a new process for ensuring information security that has significant ramifications for improving cybersecurity in space.
This new process is known as the Risk Management Framework (RMF). It is the unified information security framework used by the entire federal government, replacing the legacy Certification and Accreditation (C&A) processes that previously were followed within federal government departments and agencies. In the case of the Department of Defense (DOD) those former processes were known as DIACAP.
With the publication of DoD Instruction (DoDI) 8500.01 and DoDI 8510.01 in March, 2014, DoD has officially begun its transition from the legacy DIACAP process to the new “RMF for DoD IT” process. DoDI 8500.01 replaces the former DoD Directive 8500.1 and defines DoD’s policies for protecting and defending information and information technology, now referred to as cybersecurity in place of Information Assurance. The Defense Information Systems Agency (DISA) has stated it will begin utilizing a new information assurance matrix by October 1, 2016.
These moves provide uniformity for how the federal government approaches cybersecurity. RMF is an integral part of the implementation of FISMA, the Federal Information Security Management Act, and is based on publications of the National Institute of Standards and Technology (NIST), which also form the basis for security baselines such as FedRAMP, the Federal Risk and Authorization Management Program.
For space, this new RMF approach takes system controls to a new level of specificity and granularity. Intelsat General is following a new checklist that is based on NIST SP 800-53, which lays out three main categories of focus: Confidentiality, Availability and Integrity. In this way the cyber threats are identified and the controls are tailored accordingly. The consistent security framework across government helps industry provide better protection and promotes the sharing of best practices and proactive cybersecurity measures.
This move to the RMF is a positive step for improved cybersecurity in space. And with new challenges proliferating, it’s not a moment too soon. See below for a very sobering video produced by Air Force Space Command that depicts the catastrophic effects on ISR if satellite connectivity is disrupted: