The U.S. Army’s new Risk Management Framework (RMF) 2.0 has proved to be a “big game-changer,” not just in terms of managing risk, but also in building a strong cybersecurity community within the agency, an Army official said today.
At AFCEA DC’s Cyber Mission Summit on April 20, Nancy Kreidler, the director of cybersecurity integration and synchronization for the Army G-6, explained how RMF 2.0 – also known as Project Sentinel – has created an Army Risk Management Council (ARMC) to protect the authorizing official.
“What we found with authorizing officials is that they’re making risk decisions for high and very high-risk in a vacuum by themselves. And this really protects the authorizing official,” Kreidler said of the council. “And that’s a big deal because people are not necessarily comfortable making all these risk decisions for the Army.”
Kreidler said the ARMC will help to bring together the authorizing officials and alleviate any tension between authorities when it comes to high-risk decision-making.
“This is not something we’re planning to do. This is in execution,” Kreidler said. “And that’s what the difference is for this particular brief is that we do this. We’re going to have the first ARMC in about three weeks and that’s a big deal. Let’s change an army.”
Building a Cyber Community Within the Workforce
RMF 2.0 and its ARMC both work to streamline the threat-informed risk decision process while bringing together the Army’s cyber workforce. Kreidler said this new framework is “going to be a big game-changer” in terms of training the cyber workforce, because “it is hard to get people to change.”
“Train your people in cybersecurity. I don’t need somebody who knows eMASS [Enterprise Mission Assurance Support Service]. I need somebody who is technical, who understands risk management, who understands cybersecurity,” she said. “This is our process that we’re going to embrace … and we hope this makes a difference.”
Kreidler stressed the importance of training the cyber workforce, making sure they are passionate about the work they do, and building trust within teams.
“For the cybersecurity people, you really have to take care of them,” she said. “Because they’re going to go to industry, they’re going to make a lot more money. They need to be passionate about this stuff. We need to bring them in. We need to teach them.”
The Army has trained about 1,000 people on its new RMF 2.0 process, according to Kreidler. In doing so, the agency has built a cybersecurity community that holds meetings every two weeks to “just talk about cybersecurity,” Kreidler said.
“We usually have between 200 and 250 people show up just because they want to,” she said. “We don’t always have an agenda. We just talk about cybersecurity. So we have created a cybersecurity community within the Army.”
Another way Kreidler recommends leaders can build a community within their workforce is to “invest in your people.” For example, Kreidler holds what she calls a “telework check-in” three times a week for her team of about 35 people to get to know each other.
“It takes all of 15 minutes of my time, and it’s the best investment I can make,” Kreidler said. “I think if I gave advice to anybody with regard to leadership, I mean this whole ‘it’s all about the people, invest in your people,’ it really takes time.”
“I don’t think people – because they don’t see a return on investment right away – I don’t think they really see the value of it. And it’s the magical formula, and it costs nothing,” she added. “It’s really time with your people. And it’s the way you build trust… consistency over time.”