Risk Management Framework
With its unique blend of professionals from both military and commercial backgrounds, Peregrine has the expertise to develop targeted processes for risk management and cyber-attack situations. We provide high quality services at a modest cost, with an experienced team that you can trust, seasoned professionals who understand the cyber environment, and a value-driven mind-set of IA professionals, all certified, and all properly credentialed.
The DOD Risk Management Framework (RMF) is the new unified approach to defending data, regardless of classification. The RMF is the Department’s acknowledgement that threats are real and growing. The RMF approach provides the foundational core of the Department’s strategy to protect unclassified, sensitive, or classified information within DOD information systems. The RMF contains six steps:
- Categorization of the System
- Selection of Appropriate Security Controls
- Implementation of Security Controls
- Assessment of the Efficacy of the Security Controls
- System Authorization, and
- Monitoring of Security Controls in order to ensure the integrity of the data and the availability of the system in an environment of continuous cybersecurity threats.
Peregrine Technical Solutions, LLC has significant experience acting as the IA Subject Matter Expert (SME), as they are a fully Qualified Corporate Naval Validator (Certification Agent) #C0124 for the US Navy. Peregrine has completed six IA contracts in the last two years, and we have five ongoing cyber security efforts, where they are currently using DIACAP and will be transitioning to the RMF process as directed. Peregrine has three SMEs who have completed ACAS NESSUS training as well as one senior staff who has undergone specific RMF certification.
RMF creates a significant increase in workload, for example, in a DIACAP MAC I Classified system there are 110 IAC and 173 Validation procedures by comparison an RMF Baseline with a CIA Security Category of High/High/High initially has 950 IAC and 2769 Validation procedures before tailoring is accomplished. " Likewise for a DIACAP MAC III" Public system there are 75 IAC and 102 Validation procedures by comparison an RMF package with a CIA Security Category of Low/Low/Low initially has 940 IACs and 2740 Validation procedures before tailoring is accomplished. This is a huge increase in resources (time and personnel) that will be required, but the Peregrine staff has been researching RMF over the last months and we believe that we have ideas on how organizations can prioritize which systems that are high-risk / high-interest for review, as well as to develop improved processes for high-risk escalations. Our senior staff helped significantly the Navy transition to DIACAP where we led a Six Sigma review, which reduced the backlog of C&A Packages from 800 down to 50 within a six-month period. We believe that this could serve as a model of how Peregrine can help identifying risks and develop mitigation approaches, while lowering costs and improving response times.