• Title/Summary/Keyword: RMF(Risk Management Framework)

Search Result 8, Processing Time 0.017 seconds

Korean Security Risk Management Framework for the Application of Defense Acquisition System (국방획득체계 적용 한국형 보안위험관리 프레임워크)

  • Yang, Woo-sung;Cha, Sung-yong;Yoon, Jong-sung;Kwon, Hyeok-joo;Yoo, Jae-won
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.32 no.6
    • /
    • pp.1183-1192
    • /
    • 2022
  • Information and Information processing systems must maintain a certain level of security during the total life cycle of Information. To maintain a certain level of security, security management processes are applied to software, automobile development, and the U.S. federal government information system over a life cycle, but theme of no similar security management process in Korea. This paper proposes a Korean-style security risk management framework to maintain a certain level of security in the total life cycle of information and information processing system in the defense sector. By applied to the defense field, we intend to present the direction of defense security work in the future and induce an shift in security paradigm.

The direction of application of the RMF-based risk management system considering interoperability (상호운용성을 고려한 RMF 기반의 위험관리체계 적용 방향)

  • Kwon, Hyuk-Jin;Kim, Sung-Tae;Joo, Ye-na
    • Journal of Internet Computing and Services
    • /
    • v.22 no.6
    • /
    • pp.83-89
    • /
    • 2021
  • The RMF (Cyber Security Risk Management Framework) is a more strengthened U.S. defense cybersecurity framework that is currently used throughout the U.S. federal government beyond the defense sector. In the past decade, the proportion of cyber warfare in non-regular warfare encountered by the United States, especially cyberattacks caused by China and North Korea, has been increasing. In the end, the U.S. is newly establishing an RMF system to prepare a more strengthened cybersecurity policy at the pan-government level, and the U.S. Department of Defense aims to expand the U.S. defense RMF evaluation policy beyond the federal government level. The South Korean military has already applied RMF at the request of the U.S. that notified the policy to apply RMF when obtaining F-35A. The application of RMF by the Korean military is no longer inevitable. Now is the time for the Korean military to seriously think about what to prepare for the early establishment of a successful Korean RMF system.

A Study on Constructing a RMF Optimized for Korean National Defense for Weapon System Development (무기체계 개발을 위한 한국형 국방 RMF 구축 방안 연구)

  • Jung keun Ahn;Kwangsoo Cho;Han-jin Jeong;Ji-hun Jeong;Seung-joo Kim
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.5
    • /
    • pp.827-846
    • /
    • 2023
  • Recently, various information technologies such as network communication and sensors have begun to be integrated into weapon systems that were previously operated in stand-alone. This helps the operators of the weapon system to make quick and accurate decisions, thereby allowing for effective operation of the weapon system. However, as the involvement of the cyber domain in weapon systems increases, it is expected that the potential for damage from cyber attacks will also increase. To develop a secure weapon system, it is necessary to implement built-in security, which helps considering security from the requirement stage of the software development process. The U.S. Department of Defense is implementing the Risk Management Framework Assessment and Authorization (RMF A&A) process, along with the introduction of the concept of cybersecurity, for the evaluation and acquisition of weapon systems. Similarly, South Korea is also continuously making efforts to implement the Korea Risk Management Framework (K-RMF). However, so far, there are no cases where K-RMF has been applied from the development stage, and most of the data and documents related to the U.S. RMF A&A are not disclosed for confidentiality reasons. In this study, we propose the method for inferring the composition of the K-RMF based on systematic threat analysis method and the publicly released documents and data related to RMF. Furthermore, we demonstrate the effectiveness of our inferring method by applying it to the naval battleship system.

A Study on Proving RMF A&A in Real World for Weapon System Development (무기체계 개발을 위한 RMF A&A의 실증에 관한 연구)

  • Cho, Kwangsoo;Kim, Seungjoo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.31 no.4
    • /
    • pp.817-839
    • /
    • 2021
  • To manage software safely, the military acquires and manages products in accordance with the RMF A&A. RMF A&A is standard for acquiring IT products used in the military. And it covers the requirements, acquisition through evaluation and maintenance of products. According to the RMF A&A, product development activities should reflect the risks of the military. In other words, developers have mitigated the risks through security by design and supply chain security. And they submit evidence proving that they have properly comply with RMF A&A's security requirements, and the military will evaluate the evidence to determine whether to acquire IT product. Previously, case study of RMF A&A have been already conducted. But it is difficult to apply in real-world, because it only address part of RMF A&A and detailed information is confidential. In this paper, we propose the evidence fulfilling method that can satisfy the requirements of the RMF A&A. Furthermore, we apply the proposed method to real-world drone system for verifying our method meets the RMF A&A.

A Comparative Study on Type Approval of Maritime Cyber Security and RMF in the View of System Development Lifecycle (개발 전주기 사이버보안 관점에서의 해상 사이버보안 형식 승인과 RMF 비교 연구)

  • Lee, Suwon;Hwang, Seyoung;Hong, Jina;Kim, Byeong-jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.32 no.2
    • /
    • pp.279-287
    • /
    • 2022
  • With the advancement of cyber threats and the development of hacking technologies, cyber security is being emphasized in various fields such as automobiles and ships. According to this trend, various industrial fields are demanding cybersecurity, and related certifications. In this paper, cybersecurity type approval is compared with the RMF stage under the premise that there are common elements with RMF in that cybersecurity elements must be reflected in the entire system development cycle. For comparison, type approval of maritime cyber security of the Korean Register of Shipping was selected. In conclusion, although type approval of maritime cyber security acquisition procedure is not divided by development stage like the RMF, there are the commonalities in the procedure to apply the cybersecurity element to the System development lifecycle like the RMF. Accordingly, the possibility of determining that the cybersecurity element was applied to the entire development cycle was confirmed.

A Case Study on the Application of RMF to Domestic Weapon System (국내 무기체계에 대한 RMF 적용 실 사례 연구)

  • Cho, Hyun-suk;Cha, Sung-yong;Kim, Seung-joo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.6
    • /
    • pp.1463-1475
    • /
    • 2019
  • Unlike the past, modern high-tech weapons systems are complex and many components are combined to form a weapons system. In addition, unlike the past, where hardware was the main component, the proportion of software is increasing every year, making the security assurance activities of weapon systems more difficult than in the past. The United States has been working to ensure the security of the weapons systems they develop since the 1960s. The findings were made to US internal standards, updated regularly, and are now being applied as RMF. In Korea, research activities have been conducted since 2010 based on the RMF of the United States. However, actual RMF application cases in the United States cannot be classified and obtained, and there are no official cases in Korea. In this paper, we apply Korean RMF research that has been studied so far to apply to the recently developed real weapon system. Thus, detailed guidelines for applying the RMF are presented.

A Research on RC3(RMF-CMMC Common Compliance) meta-model development in preparation for Defense Cybersecurity (국방 사이버보안을 위한 RMF-CMMC 공통규정준수 메타모델 개발방안 연구)

  • Jae-yoon Hwang;Hyuk-jin Kwon
    • Journal of Internet Computing and Services
    • /
    • v.25 no.1
    • /
    • pp.123-136
    • /
    • 2024
  • The U.S. Department of Defense, leading global cybersecurity policies, has two main cybersecurity frameworks: the Cybersecurity Maturity Model Certification (CMMC) for external defense industry certification, and the Risk Management Framework (RMF) for internal organizational security assessments. For Republic of Korea military, starting from 2026, the Korean version of RMF (K-RMF) will be fully implemented. Domestic defense industry companies participating in projects commissioned by the U.S. Department of Defense must obtain CMMC certification by October 2025. In this paper, a new standard compliance meta-model (R3C) development methodology that can simultaneously support CMMC and RMF security audit readiness tasks is introduced, along with the implementation results of a compliance solution based on the R3C meta-model. This research is based on practical experience with the U.S. Department of Defense's cybersecurity regulations gained during the joint project by the South Korean and U.S. defense ministries' joint chiefs of staff since 2022. The developed compliance solution functions are being utilized in joint South Korean-U.S. military exercises. The compliance solution developed through this research is expected to be available for sale in the private sector and is anticipated to be highly valuable for domestic defense industry companies that need immediate CMMC certification.

A Study on the Application of the Cyber Threat Management System to the Future C4I System Based on Big Data/Cloud (빅데이터/클라우드 기반 미래 C4I체계 사이버위협 관리체계 적용 방안 연구)

  • Park, Sangjun;Kang, Jungho
    • Convergence Security Journal
    • /
    • v.20 no.4
    • /
    • pp.27-34
    • /
    • 2020
  • Recently, the fourth industrial revolution technology has not only changed everyday life greatly through technological development, but has also become a major keyword in the establishment of defense policy. In particular, Internet of Things, cloud, big data, mobile and cybersecurity technologies, called ICBMS, were selected as core leading technologies in defense information policy along with artificial intelligence. Amid the growing importance of the fourth industrial revolution technology, research is being carried out to develop the C4I system, which is currently operated separately by the Joint Chiefs of Staff and each military, including the KJCCS, ATCIS, KNCCS and AFCCS, into an integrated system in preparation for future warfare. This is to solve the problem of reduced interoperability for joint operations, such as information exchange, by operating the C4I system for each domain. In addition, systems such as the establishment of an integrated C4I system and the U.S. military's Risk Management Framework (RMF) are essential for efficient control and safe operation of weapons systems as they are being developed into super-connected and super-intelligent systems. Therefore, in this paper, the intelligent cyber threat detection, management of users' access to information, and intelligent management and visualization of cyber threat are presented in the future C4I system based on big data/cloud.