Challenge:
In 2019, the U.S. Department of Agriculture (USDA) needed to simplify RMF execution because of newly released NIST guidelines (800-37 Revision 2, Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy). This NIST publication is the first guidance addressing security and privacy risk management in an integrated, robust, and flexible methodology. In alignment with NIST guidelines, USDA also sought to employ innovative approaches for managing risk and increase the level of automation for specific tasks. Arlo worked to maximize the use of automation to increase the speed, effectiveness, and efficiency of executing the steps in the Risk Management Framework (RMF).
Solution:
Arlo began by assessing USDA RMF policy, process, and implementation status against the requirements described in NIST 800-37 rev 2. We produced an in-depth analysis document for the USDA Chief Information Security Officer (CISO), which was critical in identifying current USDA RMF status and providing insights on what needed to be achieved to meet new requirements. Arlo collaborated with the USDA to support the plans, assessments, and Plan of Actions and Milestones (POA&M) for security and privacy issues to maximize efficiency and reduce duplication of effort. The Arlo team developed a new risk management program using the newly released NIST Special Publication to help prepare the organization to manage risk and increase automation.
Arlo also created processes and procedures to assist with the USDA’s Federal Information Security Management Act (FISMA) audit. Arlo created a readiness assessment plan in support of USDA’s audit support. We worked closely with the audit team to ensure there was an understanding of the process and the team was appropriately trained. The USDA’s CISO personally expressed gratitude to Arlo for playing a monumental role in increasing the agency’s FISMA score by one letter grade within one year.
When implementing any new policy, program, or procedure, Arlo focuses heavily on creating a culture of change within the organization. To drive this change, we prioritize collaboration with the workforce through assessment reports, surveys, and interviews to better understand issues. We also use working groups, AO summits with senior leadership, and road shows as platforms for strategic communication. Throughout all of this, Arlo maintains close communication with the workforce as we continuously work to develop and document repeatable processes.
Results
As a result of our assessment, Arlo implemented more than 100 new policies at USDA to ensure compliance with the new NIST guidelines. We faced the challenge of communicating this number of policies to a large, diverse audience. As such, Arlo went above and beyond the requirements of the contract to create a custom web platform. We also provided strategic communication services at the SES level to ensure successful implementation of required policies. Arlo hosted three summits to review roles and responsibilities, the audience’s role in the process, and discuss the policies we developed and how they can be effectively used across the organization.
Our work ultimately supported consistent, informed, and ongoing authorization decisions, reciprocity, and the transparency and traceability of security and privacy information.