Triton Multi-INT

I am a little concern about the bidding or proposal against RMF effort. There is tremendous work need to be done for the RMF compliance that leading to an ATO. Without the ATO, even your system is built with the state-of-the-art technology, you are not allow to operate in the field. I do not see that importance reflect on the proposal. I am not sure whether Triton Multi-INT (or the Triton baseline) is a program of record that needs an ATO or it only needs to be RMF compliance. Either ways, there are enough work for probably a handful of full time cybersecurity engineers once we are going to the production mode, especially for implementation and testing phases.

Nevertheless, cybersecurity is gaining a lot of attention and becoming much more important than before. Not only there is increase funding for cybersecurity research from the government agencies, there is also significant funding in cybersecurity from government programs. The program that I was working on before (BACN and contract with the air force) has enough budget to hire at least 10 to 15 cybersecurity …show more content…
This framework is a paradigm shift from the old C&A process and it calls for a holistic approach on security. It includes the governance aspect (policy and procedure) of risk management, as well as risk management throughout the life cycle of the information system such as acquisition, supply chains, and maintenance, etc. It is not the old way of checklist mentality, only fulfilling requirements. It is much more complex. For example, we are supposed to have a continuous monitoring plan and continuous monitoring the effectiveness of the security measures/controls applied on the information system (every year or six months) even beyond the ATO. RMF also has its own schedule and I have seen it spans about 270 days. It has its own scheduling and staffing