K-RMF 조기정착을 위한 방위사업제도 발전방향

이진구¹ ; 손태식²^{, *}

1해군 대령/아주대학교 사이버보안학과 석사과정
2아주대학교 사이버보안학과 교수

Development Directions for Defense Acquisition System to Facilitate Early Adoption of K-RMF

Jin Goo Lee¹ ; Tae Shik Shon²^{, *}

1CAPT, ROK Navy/Graduate, Dept. of Cyber Security, Ajou University
2Professor, Dept. of Cyber Security, Ajou University

Correspondence to: ^*Tae Shik Shon Tel: +82-31-219-3321 E-mail: tsshon@ajou.ac.kr

초록

한국 국방부는 2020년 K-RMF를 개발하였고, 시범적용과정을 거쳐 2023년 7월부터는 일부 연합체계 및 전장관리정보체계에 정식적용하였다. 그동안 한국군은 K-RMF 자체에 대한 완성도 향상과 함께 K-RMF 제도 정비에도 노력해왔으나, ‘국방사이버보안위험관리지시’ 및 기존 방위사업과 관련된 훈령과의 상호 유기적 연결성이 미흡하고, K-RMF를 수행해야 하는 기관들의 이해가 부족한 실정이다. 본 연구는 미국과 한국의 RMF 지침에 대한 이해를 바탕으로 K-RMF 시행을 위해 추진했던 법령에 대한 제도적 보완, 기존 제도와의 중복성 최소화 등 K-RMF의 조기정착을 위한 방위사업제도 발전방향을 제시하였다.

Abstract

The ROK Ministry of National Defense developed K-RMF in 2020, went through a pilot application process, and officially applied it to several combined systems and battlefield management information systems from July 2023. In the meantime, the ROK military has worked on improving the completeness of K-RMF itself and institutional reforms, but there is insufficient interconnection between the Instruction for RMF and existing directives related to defense projects, and there is a lack of understanding K-RMF. This study suggests directions for the development of defense acquisition systems for the early settlement of K-RMF, such as institutional supplementation of laws and regulations promoted for K-RMF implementation based on an understanding of RMF guidelines in the United States and the Repubic of Korea, and minimization of redundancy with existing systems.

Keywords:

Risk Management Framework, Cybersecurity, Defense Acquisition, Interoperability, Test & Evaluation

키워드:

위험관리프레임워크, 사이버보안, 방위사업, 상호운용성, 시험평가

References

Jung-keun Ahn, Kwang-soo Cho, Han-jin Jeong, Ji-hun Jeong, Seung-joo Kim, “A Study on Constructing a RMF Optimized for Korean National Defense for Weapon System Development,” Journal of The Korea Institute of Information Security & Cryptology, Vol. 33, No. 5, pp. 827-846, Oct 2023. [https://doi.org/10.13089/JKIISC.2023.33.5.827]
Yong-seok Lee, Jeong-min Choi, “Research for Application the RMF to the Korean Military,” The Journal of Korean Institute of Communications and Information Sciences, Vol. 45, No. 12, pp. 2132-2139, Oct 2020. [https://doi.org/10.7840/Kics.2020.45.12.2132]
Hyuk-jin Kwon, Sung-tae Kim, Ye-na Joo, “The Direction of Application of the RMF-based Risk Management System Considering interoperability,” Journal of Internet Computing and Services, Vol. 22, No. 6, pp. 83-89, Dec 2021. [https://doi.org/10.7472/jksii.2021.22.6.83]
“National Defense Instruction for Cybersecurity Risk Management Framework,” Ministry of National Defense, Apr 2024.
“National Defense Directive for Cybersecurity,” Ministry of National Defense, Dec 2023.
“National Defense Directive for Defense Power Development Operation,” Ministry of National Defense, May 2024.
“DOD Instruction 8510.01: Risk Management Framework for DoD Systems,” Office of the Department of Defense, Jul 2022.
“NIST Special Publication 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations,” National Institution of Standards and Technology, Dec 2018.
“NIST Special Publication 800-53 Revision 5: Security and Privacy controls for Information Systems and Organizations,” National Institution of Standards and Technology, Sep 2020.
Sang-kwon Kim, “The Current State and Future Path of K-RMF,” The 19th Defense Security Conference, Seoul, pp. 215-239, 2023.
“National Defense Instruction for Interoperability Management,” Ministry of National Defense, Jan 2023.