Subject: CyberLOG RMF Support
The military is combining the Military Treatment Facilities (MTFs) into one enterprise network called the Medical Community of Interest (MedCOI). Each service must also transition a myriad of previously procured medical equipment. Due to the unique operational nature of many of these devices, this aspect of the transition required a tailored approach to the Risk Management Framework (RMF). This RMF authorization process is a requirement of the Department of Defense, and is not found in most commercial environments. The RMF process was intended for information systems, not Medical Device Equipment (MDE) that is increasingly network-connected. Sentar was tasked to collaborate with our government colleagues and recommend an RMF process tailored to MDE, manage the consolidation of MTFs from a service-based to DHA-based facility, and to streamline the authorization process to reduce the time and expense of getting MDE authorized to operate in MTFs. The challenge of securely managing the risk of network-connected medical devices, often dubbed the Internet of Medical Things (IoMT), is ubiquitous across Government and commercial hospital medical treatment facilities.
Through effective collaboration with government colleagues, Sentar built and maintained a RMF team capable of creating strategic understanding, standardization, work execution, and accountability within the client’s infrastructure for both their MDE and traditional IT network infrastructure. Sentar identified the everyday challenges of applying RMF to MDE, determined an alternative approach to identifying risks, and applied this to the enterprise. Sentar established three criteria that would accommodate all MDE, and created virtual ‘enclaves’ which helped assign sub-zone placement within the Med-COI VPN architecture based on combinations of these criteria. These ‘enclaves’ would inherit cybersecurity controls from all higher sources, the Med-COI security stack and platform services, and would focus the control baseline on accommodating the capabilities of the MDE. Additionally, Sentar proposed an “assess-only” approach, which would allow the team to perform a risk assessment on the MDE, and then incorporate it into an existing authorization. To accomplish these tasks, a CyberLOG team of counselors was created who can assist the vendors and the MTFs to assist with approvals. The overall goal was to allow substantial equipment to connect to the new electronic health record (MHS Genesis), to reduce overall costs of RMF, and to consolidate and standardize RMF processes between the services to authorize the same medical device between the services.
The Mission Impact:
• Medical Devices Securely Connected to the Network:
Sentar generated a solution that ensured the cybersecurity vulnerabilities associated with Medical Device Equipment were appropriately assessed, reported, and mitigated as part of the broader RMF process, avoiding disruption of the client mission and ensuring the safety of their patients.
• Authorization Timeline Significantly Reduced:
The “assess-only” approach has streamlined the authorization process, which was previously expected to take only a few months (rather than a full year) to authorize MDE. Groups of systems were created that can be authorized together, therefore reducing the number of separate authorizations needed.