AF revolutionizes cybersecurity risk management ensuring mission assurance

  • Published
  • By Lt. Col. Stephen Esposito
  • Secretary of the Air Force Chief Information Office
The Air Force Chief Information Security Office continues to lead massive change to the way the entire service manages cybersecurity and risk across the five core missions.

The latest innovation is the roll-out of the completely redesigned Risk Management Framework – the formal policies and processes designed to empower Airmen to assess, manage and validate the cybersecurity risks of the tools and systems they operate, from computer programs to major weapons platforms. The new policy realigns the approval processes necessary to certify cyber tools and systems away from singular authority to a functionally aligned model.

This transformation places the risk decision where it belongs: with the experts utilizing those systems and tools to get the mission done. The policy adjustment also moves the Air Force from the antiquated compliance mandates to true risk awareness, mitigation and mission assurance.

The Air Force codified RMF in Air Force Instruction 17-101, “Risk Management Framework for Air Force Information Technology.”

"This policy is the first of my initiatives that hardens cybersecurity, protects the Air Force's key cyber terrain, and reduces the cyber threat footprint,” said Pete Kim, the chief information security officer.

The new process also adds clarification to the wide array of tools that fit under the cyberspace umbrella. No longer is the sole thought process about what constitutes a cyber system centered on the desktop computer and the network it connects to. As innovation drives formerly inert equipment to “smart” internet-enabled devices in an exponential way, so does the growth of the threat landscape expand exponentially.

This growth includes pieces of mission-critical and mission support programs from fighter aircraft to building's heating and cooling units. Formalization of a standard governance framework for cross-functional engagement is another key piece of the new policy enabling a truly integrated decision-making process.

The new framework decentralizes the risk assessment and authorization to authorizing officials with a defined cyber area of responsibility delegated by the Air Force chief information officer, Lt. Gen. William Bender. The Air Force has AOs assigned to key mission and functional areas from aircraft and weapons systems to logistics and finance.

This, combined with the vast functional area knowledge, allows the AO to compare the system's cybersecurity risk to the system's mission capability to authorize operations within cyberspace. The cyber threats may grow larger every day as more devices become internet enabled, but the Air Force's policy implements a framework that minimizes the threat landscape to mission assurance, making every Airman capable to fly, fight and win in air, space and cyberspace.