Reliability and Maintainability Information System (REMIS), Business and Enterprise Systems (BES) Cybersecurity Hygiene Reconciliation Audit

  • Published
  • By Erica Shaffer and Jeff Dapore

MAXWELL AFB-GUNTER ANNEX, AL -- The Reliability and Maintainability Information System (REMIS) Business and Enterprise Systems (BES) Cybersecurity Hygiene Reconciliation Audit was conducted from October 31, 2022, to November 4, 2022, with REMIS achieving a perfect 4.0 out of 4.0 score! The audit evaluated the cyber hygiene (i.e., fundamental cybersecurity best practices) of a system or application. AFLCMC/GBZ conducted the audit with the goal of promoting secure development while, at the same time, assessing the cyber hygiene posture across the Business and Enterprise Systems (BES) Directorate.

The foundation of the audit was the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The CSF is the response to the February 12, 2013, Presidential Executive Order 13636, Improving Critical Infrastructure Cybersecurity. One of the key factors in the CSF are the tools for a Capability Delivery Team (CDT) to align its cybersecurity activities with its business requirements, risk tolerances and resources. The audit evaluated each of the following CSF Core activities on a scale of 0 to 4 based on the activity objectives:

  • Identify - This activity concentrates on the business context, the resources that support critical functions and the related cybersecurity risks (i.e., Categorization, Ports, Protocols, Services Management, Hardware/Software, System Security Plan (SSP), Plan of Action and Milestone (POA&M), Business Impact Assessment, Threat Model, and Finance Systems)
  • Protect - This activity supports the ability to limit or contain the impact of a potential cybersecurity event (i.e., Access Control, Remote Access, Public Key Infrastructure (PKI), Data at Rest, Vulnerability Scanning, Configuration Management and Open Source)
  • Detect, Respond and Recover - These activities enable timely discovery of cybersecurity events, identify activities requiring action in response to a detected cybersecurity event, and support timely recovery to normal operations reducing the impact from a cybersecurity event (i.e., Application and System Auditing, Incident Response, Contingency Planning, Continuous Monitoring, and Risk Assessment)

The CSF aligns these activities to NIST security controls which provide the standard of evaluation. The audit team used the security controls aligned to the objectives to develop the BES Audit Checklist.

In 2021, REMIS received an audit score of 3.9/4.0. To obtain the perfect score of 4.0/4.0 in 2022, REMIS resolved minor findings identified in the 2021 audit. REMIS continues to maintain a strong cybersecurity posture and is a leader among BES systems in this area.