Automation Helps Navy Ensure IT Systems' Cybersecurity

The Challenge

The RMF process is used to manage cybersecurity risks for thousands of U.S. Navy IT systems. To receive and maintain their authorizations to operate (ATO), these systems must undergo and pass full RMF evaluation.

Earning and maintaining ATO is neither simple nor easy. The attendant RMF process takes anywhere from 8 to 18 months to complete for a single system. The documentation requirements are also time consuming. Uploading and assessing the necessary cybersecurity test data can take weeks. Such extended timelines often prevent Navy organizations from rapidly fielding new capabilities for improved operational, business, and mission performance. 

As it’s conducted manually, the RMF process is prone to human errors, some of which can cause entire documentation packages to be returned and significantly delayed. Much of this manual work is performed by experienced, highly paid cybersecurity staff or contractors, diverting them from higher value tasks.

The Approach

To help its Navy clients field IT systems with more speed while still fully ensuring their security from cyber threats, Booz Allen built a tool to automate many elements of the RMF process. The result is RMF Automation & Process Streamlining, a solution that makes the RMF process faster, more accurate, and less expensive. 

To develop the tool, Booz Allen leveraged deep expertise in cybersecurity, robotic process automation, systems engineering, and NIST RMFs. First identifying a number of labor-intensive tasks that were a good fit for automation, our team developed and tested two prototype bots to automate those workflows and upload test data. As testing and development continued, numerous trials of the prototypes produced error-free results.

Less than a year later, we were ready to start using RMF Automation & Process Streamlining to help our Navy clients accredit operational systems. Within 6 months, the number of RMF Automation & Process Streamlining automation bots in use grew from two to 14, and still more were in development. Each bot automates and expedites tasks and workflows supporting all six steps in the RMF process.

The Solution

Today, RMF Automation & Process Streamlining has been used to help accredit dozens of systems for tactical communications, command and control, and mission planning at Navy commands in both classified and unclassified settings. The tool is portable, intuitive, and user-friendly. RMF Automation & Process Streamlining walks practitioners through the RMF process step by step, much like the apps found on popular tax-filing websites.

RMF Automation & Process Streamlining automations support many communities of RMF practitioners, including:

  • Information system security engineers (ISSE) for artifact and package generation
  • Package submitting officers (PSO) for package review
  • Navy qualified validators (NQV) for validation testing
  • Security control assessors (SCA) for NQV risk assessment reviews
  • Navy authorizing official (NAO) cyber security analysts (CSA) for package processing, standardization, and approval

In addition, RMF Automation & Process Streamlining currently delivers six compiled or individual reports that fully comply with Office of the Chief of Naval Operations requirements:

  • Plan of actions and milestones (POA&M)
  • Hardware list
  • Software list (Windows)
  • Software list (Linux)
  • Ports, protocols, and services management (PPSM)
  • Test plans

Navy programs employing RMF Automation & Process Streamlining began seeing benefits immediately. Manual tasks like data entry, report generation, and data analysis that previously took days or weeks were now accomplished in minutes, while substantially reducing the risk of error. 

Consider, for example, the RMF Automation & Process Streamlining bot that helps automate the task of generating a POA&M report. The bot compiles test data for a given system onto a spreadsheet to identify instances of non-compliance with security controls. With one Navy system, the POA&M bot processed 3,500 test results and generated a report in 2 minutes. Compare that to the 32 hours it typically takes to do the work manually. In government offices with several hundred systems, that translates to thousands of hours of staff time saved annually.

Another RMF Automation & Process Streamlining bot helps automate the Navy’s CYBERSAFE cybersecurity process to verify that the security features of one system do not inadvertently impair the security of other connected systems. In one case, RMF Automation & Process Streamlining evaluated a new relay node on a tactical communications system and added 109 CYBERSAFE security controls in about 2 minutes. Without RMF Automation & Process Streamlining, adding those controls manually would have taken up to 4 hours.

Among the features that distinguish RMF Automation & Process Streamlining from other RMF process-automation tools are its ease of use and its interoperability with other applications. In addition, its open architectures enable it to incorporate additional automation bots, regardless of who developed them. whether they are developed by Booz Allen or other companies. To continue Booz Allen’s always-on effort to innovate and automate, our team is working on a project to employ machine learning and natural language processing to improve the creation of risk-mitigation statements.

Meet the Authors

Kevin McNally is a principal at Booz Allen. He leads a large cybersecurity workforce supporting the Navy Marine Corps market in San Diego. Kevin retired from federal civilian service in March 2019, after more than 30 years of service in the Navy and Marine Corps. 

Kenneth Kryszyn is a senior associate at Booz Allen. He leads a software development team that is automating many aspects of the RMF process. Ken came to Booz Allen after retiring from the U.S. Navy, where he served for 20 years, 17 of which were in overseas billets.