A new Defense Department (DoD) Risk Management Framework (RMF)–due to be delivered to agency leaders in roughly seven weeks–will have strong implications for the way the department’s cybersecurity professionals perform their tasks, according to John Bergin, IT and business system reform lead at DoD.
Just over a week ago, Bergin was asked at the Defense Systems Summit on July 11 about rumblings of an update to the DoD RMF, and on that day said a decision to move forward had just been rendered.
“Eight weeks. I go for a decision in eight weeks,” he said. “We made the decision this morning. I’ll take it to the Under Secretary and Deputy Secretary in eight weeks.” Bergin provided further detail about the steps leading up to that point.
“In two weeks, there’s an off-site. The expectation is the work product comes back from an off-site in four weeks, and I go and start pushing for socialization and decision-making in the six-to-eight-week window, where we start making meaningful changes,” he said.
In a follow-up, Bergin told MeriTalk that he is “committed to that timeline” and expects it to proceed on schedule. He said that the date – now less than seven weeks away – is when the reform management group at DoD will bring the proposed new framework to the leadership team.
He provided no indication of whether immediate publication would follow but said the document will have been socialized and refined by various DoD stakeholders by the time a decision is rendered on it in seven weeks’ time.
Shifting Cybersecurity Away from Compliance
The question about the RMF was prompted by a broader discussion about the role of the cybersecurity worker in the context of DoD. With a known cybersecurity workforce shortage in the Federal government now rising to the level of a top Trump administration priority, Bergin suggested that total worker numbers are less germane to the discussion of actual security.
“The question I ask every cybersecurity professional is, ‘Are you a compliance worker, or are you a security worker?’” he said. “I would like to remove one type of worker and hire more of the other type of worker. I will have less of them, I will pay them more, and they will use automated tools.”
Bergin said he has been “aggressively” leveraging U.S. Cyber Command to execute on the findings of automated discovery tools, and that’s where the implications for the cyber workforce come into play.
“We will use the tools we bought, or we will not pay for them, and we will return them. If they work, we will use them. That is the whole point we have to get to,” he said. “So, as we go through that, it becomes: If I’m doing continuous monitoring for real, which requires automation and technology, then I have less compliance workers because those people are no longer relevant in that conversation. Which puts me in a place where we’re having stronger conversations with industry about the right people, and not about people.”
Bergin added that Cyber Command has been “amazing at taking that transformation step forward” and that new DoD CIO Dana Deasy seems strongly focused not on compliance, but on outcomes.
“We’re in it to win it, and that is critical, and it’s all about tying back to the cybersecurity question,” Bergin said. Regarding the potential for automation to supplant some, but not all cyber workers, he noted that “you can’t automate the man out of the loop yet” but that you can make him “more effective and more capable through better tool usage and machine learning.” That’s where he sees the shift: cultivating the type of talent capable of using and augmenting emerging technology.
“The person in the loop is our goal and we have to harness them and have more of them,” he said.
How the RMF Will Acknowledge That Shift
The cultural change in DoD’s cybersecurity approach is not going to come without resistance, Bergin said, particularly when it comes to the new RMF he is proposing.
“Not only are we hitting it, we’re hitting it hard with a sledgehammer, and there will be people who say that this is a security risk,” he said. He explained the implications of the new RMF amid the backdrop of security controls for risk management advocated by the National Institute of Standards and Technology (NIST).
“We’re going to have to demonstrate to folks who don’t want to hear that about how we’re going to deal with the continuous monitoring, actually doing the RMF, to do what NIST intended it to do. The rules aren’t bad. The foolish way we implemented the rules…” he said, pausing and offering refinement to the statement. “The rules aren’t bad, the way in which we chose to implement the rules, which is not foolish, are leading us to suboptimal outcomes.”
An example came when a cybersecurity worker at the summit told Bergin that his role had shifted from his core competency of security toward more of a compliance role, particularly when the previous DoD Information Assurance Certification and Accreditation Process (DIACAP) was supplanted by the DoD RMF in March 2014. The introduction of numerous additional controls made things an exercise in box-checking, the worker said. He asked Bergin how DoD might work to rectify that.
“The honest answer is I don’t think I’ll fix most of the people in your role. I don’t think we’ll get there,” Bergin said. “I think that most of the folks have spent the last ten years in a compliance-drilled world, and I don’t know that I’ll be able to reshape the workforce to be in that next forward look, so we’ll have an efficient period where people either are excited to be doing real security work that is hard. Or they really want to be people pushing paper. I don’t need people pushing paper.”