AMIS Leads the Way with RF-ITV System Reaccreditation

Cybersecurity is changing in the Army, and the team developing and maintaining the Radio Frequency In-Transit Visibility (RF-ITV) System is leading the change management. In March 2014, the Department of Defense (DOD) formally issued instructions for transitioning to a new model for information technology system certification and accreditation, the Risk Management Framework (RMF) process, replacing the DOD Information Assurance Certification and Accreditation Process (DIACAP). Information Assurance (IA) has always been a priority for the RF-ITV managing office, Automated Movement and Identification Solutions (AMIS), so the RF-ITV program and system integrator were up to the challenge of adopting RMF from the start. AMIS is the first program to undertake this massive change in the process to accredit a system. The risk of not getting through RMF is simple: no Authority to Operate (ATO), no RF-ITV for the logistics community.

The RF-ITV team, along with the PEO EIS Information Assurance Program Manager (IAPM) team, attended an RMF early adopters’ sessions at Fort Huachuca, Arizona. The group learned to utilize a main tool in implementing the RMF policy, the Enterprise Mission Assurance Support Service, a service-oriented computer application that supports IA program management and automates the DIACAP process. A key change in the RMF process is the self-assessment — the system manager now assesses all security controls for compliance. After the initial self-assessment, the security control assessor-validator gains an understanding of the system’s IA posture by reviewing system IA documentation, acquires an understanding of the system’s implementation of operating procedures by interviewing people working the various IA roles, verifies the system configuration, meets applicable regulations by performing vulnerability scanning and, finally, evaluates and validates the security controls implemented by the system manager and writes a report, which authorizing officials use in the formal decision to grant an ATO. This process is critical in protecting information systems from cyber-attack. AMIS chose the RMF process, which becomes mandatory in 2017, opposed to DIACAP in order to maximize the timeframe the ATO would be valid. An IT system can't operate on the DOD network without being accredited.

The RF-ITV team was at a disadvantage as the first to go through the RMF process, as they lacked the benefit of lessons-learned or best practice recommendations from other programs. However, the outstanding effort made by the RF-ITV system integrator personnel combined with IAPM team guidance resulted in the three-year ATO, making the RF-ITV System the first to earn this certification within PEO EIS! The team also offered advice to those earning the new accreditation: start early and be prepared for the complexity of the process, which took at least six months longer than earning an ATO via the DIACAP process.