1 1 00:00:00,000 --> 00:00:02,520 In this lesson, we're going to talk about timelines 2 2 00:00:02,520 --> 00:00:04,950 because up to this point we haven't really talked about 3 3 00:00:04,950 --> 00:00:06,660 how long does it take to get a package 4 4 00:00:06,660 --> 00:00:08,700 through the RMF process. 5 5 00:00:08,700 --> 00:00:10,680 Now, I told you that there's only seven steps 6 6 00:00:10,680 --> 00:00:13,140 to the RMF process, and while that's true 7 7 00:00:13,140 --> 00:00:15,510 those steps aren't equal in length. 8 8 00:00:15,510 --> 00:00:18,840 For example, preparation might only take you a week or two, 9 9 00:00:18,840 --> 00:00:19,770 but when you start getting 10 10 00:00:19,770 --> 00:00:22,440 to something like the authorizing official in step six, 11 11 00:00:22,440 --> 00:00:25,110 this can actually take you weeks or months. 12 12 00:00:25,110 --> 00:00:27,480 In fact, when you're looking at the total amount of time 13 13 00:00:27,480 --> 00:00:29,640 required to get a package through RMF, 14 14 00:00:29,640 --> 00:00:30,540 it actually is going to vary 15 15 00:00:30,540 --> 00:00:33,240 depending on a lot of different factors. 16 16 00:00:33,240 --> 00:00:35,130 One of those is the size of the system 17 17 00:00:35,130 --> 00:00:36,960 you're trying to get through the process. 18 18 00:00:36,960 --> 00:00:39,900 We talked before about setting your authorization boundary. 19 19 00:00:39,900 --> 00:00:41,520 If your boundary is set too large, 20 20 00:00:41,520 --> 00:00:43,170 that means there's a lot of system elements 21 21 00:00:43,170 --> 00:00:44,970 and possibly a lot of subsystems 22 22 00:00:44,970 --> 00:00:47,040 that are going to be part of this overall system, 23 23 00:00:47,040 --> 00:00:50,460 and that adds to the time and expense of going through RMF. 24 24 00:00:50,460 --> 00:00:51,293 On the other hand, 25 25 00:00:51,293 --> 00:00:53,460 if you have a very small authorization boundary 26 26 00:00:53,460 --> 00:00:54,293 that's going to reduce 27 27 00:00:54,293 --> 00:00:56,430 what is considered included in that system, 28 28 00:00:56,430 --> 00:00:58,110 and that can help speed up your process 29 29 00:00:58,110 --> 00:00:59,790 as you're going through RMF. 30 30 00:00:59,790 --> 00:01:02,010 But even beyond the size of the system, 31 31 00:01:02,010 --> 00:01:03,330 there are many other factors 32 32 00:01:03,330 --> 00:01:05,340 that can either increase or decrease 33 33 00:01:05,340 --> 00:01:08,970 the amount of time it takes to go through the RMF process. 34 34 00:01:08,970 --> 00:01:11,550 For example, in the past I've worked on some systems 35 35 00:01:11,550 --> 00:01:13,860 that were considered so critical to the war fighter 36 36 00:01:13,860 --> 00:01:15,360 during an active war, 37 37 00:01:15,360 --> 00:01:17,640 that we are able to push it through the RMF process 38 38 00:01:17,640 --> 00:01:19,140 extremely quickly, 39 39 00:01:19,140 --> 00:01:21,720 because everybody who's working on that package knew 40 40 00:01:21,720 --> 00:01:23,970 that that thing had to get out to the field 41 41 00:01:23,970 --> 00:01:25,710 as quickly as possible. 42 42 00:01:25,710 --> 00:01:27,120 Now, that being said, 43 43 00:01:27,120 --> 00:01:29,550 we still had to go through all of the different steps. 44 44 00:01:29,550 --> 00:01:32,220 What we did, though, was we started greasing the skids 45 45 00:01:32,220 --> 00:01:34,710 by talking to people ahead of us in the process, 46 46 00:01:34,710 --> 00:01:36,570 to make sure that when the paperwork got to them 47 47 00:01:36,570 --> 00:01:39,300 they were ready to execute that paperwork immediately, 48 48 00:01:39,300 --> 00:01:40,830 and not letting it sit in their inbox 49 49 00:01:40,830 --> 00:01:43,020 for a couple of weeks before they looked at it. 50 50 00:01:43,020 --> 00:01:44,640 Now, I know that sounds kind of funny 51 51 00:01:44,640 --> 00:01:45,960 but that is the truth, 52 52 00:01:45,960 --> 00:01:48,330 a lot of times the paperwork is actually held up 53 53 00:01:48,330 --> 00:01:50,250 because it's just sitting in somebody's queue, 54 54 00:01:50,250 --> 00:01:52,500 and until you get them to actually take a look at it 55 55 00:01:52,500 --> 00:01:53,700 they won't even be able to tell you 56 56 00:01:53,700 --> 00:01:55,380 whether you did it right or wrong, 57 57 00:01:55,380 --> 00:01:58,770 and so a lot of this comes down to having good soft skills. 58 58 00:01:58,770 --> 00:02:01,110 I know we're all IT and cyber security people 59 59 00:02:01,110 --> 00:02:03,480 and we think that soft skills don't matter sometimes, 60 60 00:02:03,480 --> 00:02:06,330 but I will tell you they really, really do. 61 61 00:02:06,330 --> 00:02:08,910 As I said, the normal timeline for this process 62 62 00:02:08,910 --> 00:02:11,850 is going to be anywhere from 12 to 24 months, 63 63 00:02:11,850 --> 00:02:15,000 but in the past I was able to get an RMF project through 64 64 00:02:15,000 --> 00:02:16,470 in only five months, 65 65 00:02:16,470 --> 00:02:18,990 and that was considered lightning fast for an RMF 66 66 00:02:18,990 --> 00:02:20,640 for a system of that size. 67 67 00:02:20,640 --> 00:02:21,750 How did I do it? 68 68 00:02:21,750 --> 00:02:24,180 Well, I did it by using my soft skills 69 69 00:02:24,180 --> 00:02:26,490 to ethically influence the time to completion 70 70 00:02:26,490 --> 00:02:27,930 for this process. 71 71 00:02:27,930 --> 00:02:29,430 Now, what I mean by that is, 72 72 00:02:29,430 --> 00:02:31,680 when you're going through this process of RMF, 73 73 00:02:31,680 --> 00:02:33,390 oftentimes you can influence 74 74 00:02:33,390 --> 00:02:35,430 who the package is going to go through. 75 75 00:02:35,430 --> 00:02:36,930 There's lots of different approvers 76 76 00:02:36,930 --> 00:02:38,730 inside of large organizations, 77 77 00:02:38,730 --> 00:02:40,740 and the organization I was in at the time, 78 78 00:02:40,740 --> 00:02:42,750 we had five different approvers. 79 79 00:02:42,750 --> 00:02:44,970 Well, I knew that approver number one 80 80 00:02:44,970 --> 00:02:46,080 was actually really quick 81 81 00:02:46,080 --> 00:02:48,330 and they were really motivated to do good work, 82 82 00:02:48,330 --> 00:02:50,850 and do it fast because they were trying to get a promotion. 83 83 00:02:50,850 --> 00:02:51,683 And at the same time, 84 84 00:02:51,683 --> 00:02:54,060 I knew that authorizing official number five 85 85 00:02:54,060 --> 00:02:56,220 basically had a couple of months until retirement 86 86 00:02:56,220 --> 00:02:57,630 and they were just biding their time, 87 87 00:02:57,630 --> 00:03:00,240 and so they were trying to do as little work as possible. 88 88 00:03:00,240 --> 00:03:01,950 And so I knew if my package 89 89 00:03:01,950 --> 00:03:04,620 ended up in the queue for authorizing agent number five 90 90 00:03:04,620 --> 00:03:06,750 I was going to be waiting a long time, 91 91 00:03:06,750 --> 00:03:09,360 so I went to the authorizing official number one 92 92 00:03:09,360 --> 00:03:11,340 and I said, "Hey, I've got this package. 93 93 00:03:11,340 --> 00:03:13,500 I've got a strict deadline, I have to get this done 94 94 00:03:13,500 --> 00:03:15,720 and approved before six months from now. 95 95 00:03:15,720 --> 00:03:16,650 Can you help me?" 96 96 00:03:16,650 --> 00:03:17,910 And they said, "Sure, I'll go ahead 97 97 00:03:17,910 --> 00:03:20,310 and pull it into my queue as soon as I see it as pending." 98 98 00:03:20,310 --> 00:03:22,890 And so, as soon as I hit the submit button in the tool 99 99 00:03:22,890 --> 00:03:24,300 it went into the pending queue, 100 100 00:03:24,300 --> 00:03:26,100 and within about 10 minutes after that 101 101 00:03:26,100 --> 00:03:28,740 it was assigned to authorizing official number one. 102 102 00:03:28,740 --> 00:03:30,810 Now, did that mean they were going to look the other way 103 103 00:03:30,810 --> 00:03:31,980 and push my package through 104 104 00:03:31,980 --> 00:03:33,690 without doing their due diligence? 105 105 00:03:33,690 --> 00:03:34,950 No, of course not, 106 106 00:03:34,950 --> 00:03:37,170 they still did everything that needed to be done. 107 107 00:03:37,170 --> 00:03:38,400 The only difference was, 108 108 00:03:38,400 --> 00:03:40,500 as they looked at the 10 things in their queue, 109 109 00:03:40,500 --> 00:03:42,480 they put mine to the number one position 110 110 00:03:42,480 --> 00:03:43,740 and they put everybody else down 111 111 00:03:43,740 --> 00:03:45,450 from number two through number 10, 112 112 00:03:45,450 --> 00:03:46,860 and they got to wait a little bit longer 113 113 00:03:46,860 --> 00:03:49,890 because my package was more important in this case. 114 114 00:03:49,890 --> 00:03:51,570 So, my point in telling you this 115 115 00:03:51,570 --> 00:03:55,260 is to realize that RMF can be a very long process, 116 116 00:03:55,260 --> 00:03:57,870 after all, this is the federal government we're dealing with 117 117 00:03:57,870 --> 00:03:59,610 and a lot of times things will simply sit 118 118 00:03:59,610 --> 00:04:01,410 in people's cues along the way. 119 119 00:04:01,410 --> 00:04:03,360 So, if you've done your preparation step 120 120 00:04:03,360 --> 00:04:05,160 and you've done your categorization step, 121 121 00:04:05,160 --> 00:04:07,080 and now you're trying to select the controls, 122 122 00:04:07,080 --> 00:04:09,420 well, you may not be well suited to do that 123 123 00:04:09,420 --> 00:04:10,740 and you may have a system administrator 124 124 00:04:10,740 --> 00:04:12,180 who's going to be working with you on this, 125 125 00:04:12,180 --> 00:04:14,070 but this isn't their full-time job 126 126 00:04:14,070 --> 00:04:15,600 they've got a million other things they're doing 127 127 00:04:15,600 --> 00:04:17,040 as a system administrator. 128 128 00:04:17,040 --> 00:04:19,500 How do you get them to give you the attention you need? 129 129 00:04:19,500 --> 00:04:22,230 Well, a lot of that is going to come down to soft skills. 130 130 00:04:22,230 --> 00:04:24,660 So, as you start working through this process, 131 131 00:04:24,660 --> 00:04:25,980 it's incumbent on you 132 132 00:04:25,980 --> 00:04:28,110 to push your package through the process 133 133 00:04:28,110 --> 00:04:29,490 that means you're constantly going 134 134 00:04:29,490 --> 00:04:32,070 and looking at where is your package, what's holding it up, 135 135 00:04:32,070 --> 00:04:34,500 and what is the next roadblock that you need to remove 136 136 00:04:34,500 --> 00:04:36,450 to keep it moving through the process? 137 137 00:04:36,450 --> 00:04:37,770 If you don't do that 138 138 00:04:37,770 --> 00:04:41,070 it is very common to see packages that take 12, 18 139 139 00:04:41,070 --> 00:04:44,250 or 24 months to go through the RMF process, 140 140 00:04:44,250 --> 00:04:45,420 and you don't want that to happen 141 141 00:04:45,420 --> 00:04:47,190 to your system or your package, 142 142 00:04:47,190 --> 00:04:49,320 because now your system is going to be delayed 143 143 00:04:49,320 --> 00:04:50,700 in terms of getting it fielded, 144 144 00:04:50,700 --> 00:04:52,680 and that means nobody's able to use your system 145 145 00:04:52,680 --> 00:04:55,110 and get the benefits that we want from that system, 146 146 00:04:55,110 --> 00:04:56,820 which is the whole reason we built that system 147 147 00:04:56,820 --> 00:04:58,080 in the first place. 148 148 00:04:58,080 --> 00:05:00,750 So, keep in mind, when you're dealing with RMF 149 149 00:05:00,750 --> 00:05:03,510 it can be a long process, it can be drawn out 150 150 00:05:03,510 --> 00:05:06,750 but you can help speed that up by using your soft skills, 151 151 00:05:06,750 --> 00:05:09,540 greasing the skids, and working across your organization 152 152 00:05:09,540 --> 00:05:11,400 to make sure that as that package is moving 153 153 00:05:11,400 --> 00:05:14,070 from step one to two, to three, to four, 154 154 00:05:14,070 --> 00:05:15,900 to five, to six, to seven, 155 155 00:05:15,900 --> 00:05:18,090 it continually moves through the process 156 156 00:05:18,090 --> 00:05:20,550 and doesn't get stagnant sitting in somebody's inbox 157 157 00:05:20,550 --> 00:05:22,650 for three or four months before they look at it. 158 158 00:05:22,650 --> 00:05:23,557 And then when they look at it, they go, 159 159 00:05:23,557 --> 00:05:25,710 "Oh, you missed something and kick it back to you," 160 160 00:05:25,710 --> 00:05:27,570 and then you have to start that step over 161 161 00:05:27,570 --> 00:05:30,120 and then resubmit it to that same person again. 162 162 00:05:30,120 --> 00:05:32,880 So, remember, always use your soft skills 163 163 00:05:32,880 --> 00:05:35,370 and keep those packages moving through the process, 164 164 00:05:35,370 --> 00:05:38,160 by doing this you can get your RMF time down 165 165 00:05:38,160 --> 00:05:41,670 to six to 12 months instead of the normal 12 to 24 months 166 166 00:05:41,670 --> 00:05:45,003 as it moves its way through the process.