Second Front Systems and the Risk Management Framework¶
The Risk Management Framework (RMF) is a structured process for integrating crucial security, privacy, and risk management activities into the system development life cycle.
Both private sector implementations, like those by Second Front Systems, and government applications of RMF have distinct characteristics, advantages, and challenges, underscoring the importance and effectiveness of this process in addressing security and privacy risks.
The Second Front Advantage
Implementing RMF through Second Front Systems carries significant advantages. We strive to minimize the information required for application and mission owners to commence the onboarding process for their applications. This streamlines the completion of steps mandated by the government - providing a sense of reassurance. Moreover, Second Front Systems provides a Customer Success team to guide the customer's understanding of the roles and responsibilities shared among all involved parties, made available from the outset, instilling confidence in the process.
Prepare¶
The mission owner will dictate the impact level for the application onboarded to the Game Warden Platform. This will ensure the data contained within the application is hosted at the appropriate level, whether it be IL2, IL4, or IL5. This involves a thorough evaluation to determine the appropriate impact level for hosting the application, whether IL4 or IL5. Furthermore, there is an in-depth discussion with the mission owner to understand their requirements comprehensively. This encompasses the nature of the data to be integrated within the application, which may include applications aimed at analyzing data sourced from the government customer and those focused on optimizing flight planning to ensure more resilient flight plans.
The government will implement a series of activities in a collaborative effort with the application owner. This ensures that all relevant parties are informed, actively involved, and well-prepared to effectively manage security and privacy risks using the Risk Management Framework (RMF). These activities will include the identification of key risk management roles on both sides, as well as the development and implementation of continuous monitoring processes. Additionally, there will be a focus on identifying standard controls that can be shared between the mission and application owners, enhancing collaboration and efficiency in risk management.
In the initial phase of the Risk Management Framework (RMF), Second Front arranges a meeting with the application owner to investigate how their application is equipped to handle Controlled Unclassified Information (CUI).
Categorize¶
During the second phase of the Risk Management Framework (RMF), the application and mission owner will collaboratively assess the application's impact on confidentiality, integrity, and availability. This assessment, a crucial part of the RMF process, will categorize the application as low, medium, or high. The DoD impact level, ranging from level 2 to 5, will also be determined. It is crucial to provide this information to Second Front before onboarding to ensure that all necessary security measures are in place and that the audience feels knowledgeable and informed about the process.
The government application of the categorization step of RMF informs organizational risk management processes and tasks by determining the adverse impact in terms of the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. It involves documenting the security categorization of the system and information, completing the categorization decision, and having it reviewed and approved by the authorizing official.
Second Front Systems and the government apply the principles of the RMF categorizing step with few differences. The application and mission owner determine their system's appropriate categorization—low, medium, or high—and the appropriate DoD impact level.
Select¶
The government's implementation of the Select step of RMF involves tailoring and documenting the appropriate security controls to protect the system and organization in line with the level of risk. This includes selecting and customizing risk control baselines, designating controls as system-specific, hybrid, or common, and allocating them to specific system components. Additionally, a system-level continuous monitoring strategy is developed, and security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved.
The Game Warden PaaS (Platform as a Service) is in-process for FedRAMP High Baseline, has received accreditation up to DoD Impact Level 5, and can deploy applications to IL6 via DAF CLOUDworks/ODIN. We carefully assess applications seeking onboarding to ensure they are placed in the appropriate impact level based on the sensitivity of the information they process. Moreover, our security ProdSec team identifies a comprehensive set of NIST 800-53 rev. 4 controls tailored to the specific application and mission owner. This empowers our customers to initiate the creation of their System Security Plan (SSP) and compile any necessary documentation to ready their application for deployment in subsequent stages.
Implement¶
The government requires the application and mission owners to implement controls specified in security and privacy plans for the system and organization. The plans should be updated to reflect the implemented controls. It’s primarily incumbent on the application and mission owners to complete all the security controls.
The Second Front security team enforces the NIST 800-53 security controls. This involves furnishing the application and mission owners with shared responsibility and a customer risk management matrix. The information is provided to facilitate the customer's comprehension of how the Game Warden platform encompasses numerous security controls for which they are not accountable. This enables them to focus on the controls pertinent to advancing their application through the requisite steps for production deployment.
The main difference between how Second Front and the government implements the RMF is that with Second Front, the application owner and mission owner are not solely responsible for implementing all the security controls for their application. For example, an application and mission owner must address over 600 security controls for the application they want to use, which can be time-consuming for any organization. However, by onboarding their application through Second Front and Game Warden, the number of security controls that need to be completed is significantly reduced. This means they can get their application into production and be available for use much faster.
Assess¶
During the Risk Management Framework (RMF) assessment phase, governmental entities will evaluate the accurate implementation, intended operation, and desired outcome of security controls to ensure compliance with system and organizational security and privacy requirements. This phase encompasses the selection of assessors and assessment teams, developing security and privacy assessment plans, implementing remediation actions to address control deficiencies and vulnerabilities identified during scanning, and formulating a plan of action with milestones to rectify security control issues.
Second Front security assessors work closely with the application owner to integrate the application into the development environment. They use a variety of security tools to scan for and identify different Common Vulnerabilities and Exposures (CVEs) levels. Afterward, they will work with the application owner to address and resolve any security findings. Finally, the assessors will create the Deployment Passport including a Certificate to Field (CtF).
Using Second Front Systems to onboard an application to empowers our customers to collaborate with our security assessor team to get the application into the Game Warden development environment for scanning and to remediate any potential vulnerabilities. This process includes obtaining a Deployment Passport and Certificate to Field package for authorization to move the application into production for end-users. The government typically only provides an assessment team to review security controls, leaving the application and mission owner teams responsible for working on security controls and remedying vulnerabilities. Additionally, it takes much longer for an application owner to get an application into production if they follow the traditional ATO process.
Authorize¶
During the authorization step of RMF, the government-authorizing official will receive an authorization package that includes the executive summary, system security plan, assessment reports, plan of action, and milestones. Based on this evidence, they will determine whether to issue authorization to operate or deny the request.
During the authorization step of RMF, the Second Front security team will send the deployment passport for review and approval by the authorizing official. This will allow the application owner to move from the development environment into staging and production. This would be done after the authorizing official has signed off on the deployment passport.
The major advantage between Second Front Systems and the government is the time it takes to get to this step. By working with the Second Front security team, the application owner can move into production, on average, less than 90 days after the initial contract award. This is based on the Second Front team working hand in hand with the application owner to get the application through to deployment passport approval by the authorizing official.
Monitor¶
During the RMF monitoring step, the government assigns all of the onus of monitoring the security of the application and the hosting environment on the application owner. This tends to result in the application owner needing to contract out or hire a large in-house team to monitor their application and its environment.
The Second Front security team provides continuous monitoring of the applications hosted on the Game Warden platform. This is done by scanning the containers 24x7 by the security suite hosted on the platform. These results are provided to both the application owner and the Second Front security team. This ensures vulnerabilities are identified, and steps are outlined for how to be remediated and mitigated depending on the circumstances.
The most significant advantage to the application owner when using Second Front and the Game Warden platform is that they inherit our platform's overall security posture. Additionally, our security assessor team checks the status of vulnerabilities identified during scans of application containers. The application owner doesn’t have to create or configure their security suite of tools to monitor their application or its hosted environment - the Game Warden platform already provides this service.