The Risk Management Framework Is Dead. Long Live the RMF.

This post first appeared on Next Gov. Read the original article.

A framework is just that: a frame of reference from which to adapt according to your needs and situation.

The need for effective cybersecurity in the federal government is more important now than ever before.  Dr. Ron Ross, fellow at the National Institute of Standards and Technology, said it best earlier this year at the RSA Federal Summit: “We literally are hemorrhaging critical information about key programs.”

Frameworks such as the NIST Risk Management Framework, or RMF, help ensure organizations are able to address rampant cybersecurity threats by providing “a disciplined, structured, and flexible process for managing security and privacy risk.”  But a framework is just that: a frame of reference from which to adapt according to your needs and situation.

In an effort to speed the fielding of mission-critical systems, security-conscious agencies across the spectrum have been taking steps to streamline and simplify their approach to following the RMF in order to expedite receiving their authorizations to operate, known as ATOs. We’re seeing this in the Air Force’s “RMF Next” and “Fast Track ATO” initiatives; the Army’s pivot to a more agile RMF; General Service Administration’s collapse of ATO from 18 months to 30 days; the National Geospatial-Intelligence Agency’s “ATO in a Day”; and the intelligence community’s “Continuous ATO.”  These agencies are reimagining and reinventing the assessment and authorization (A&A) process to ensure that a check-the-box compliance mentality doesn’t jeopardize mission success.

Work Smarter, Not Harder

At first blush, it may seem that a fast-tracked approach to the RMF would jeopardize the goal of governmentwide reciprocity; if steps of the RMF are skipped or given short shrift, then an ATO would mean something different to each organization, eliminating the ability to trust systems ATO’ed by other agencies.  But that’s not the case.

Agencies that have successfully streamlined the RMF are not necessarily omitting requirements, they are just using automation, controls inheritance, transparency and risk management to work through the RMF more efficiently. In other words, they are working smarter, not harder.

With active leadership involvement, these agencies have been able to establish a commonsense approach to the A&A process in keeping with the RMF, assessing new technologies that haven’t been previously assessed, without reassessing the same infrastructure and organizational processes they have evaluated many times before… >Read More

This entry was posted in Uncategorized. Bookmark the permalink.
 

Comments (1)

Author’s gravatar

Do you not actually find this more concerning and problematic, as you look at how lower levels of management love to find excuses to bypass security (e.g. “The AF said it’s innovation, so it takes precedence” — so the leadership on the IT side tells their cybersecurity shop to push it through anyway — cybersecurity often takes a backseat to promotion and power. There are a lot of lofty goals out there, but so far, none have borne real results.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright 2014-2020 AFERM. All Rights Reserved.
Association for Federal Enterprise Risk Management
1050 Connecticut Ave NW, PO Box 66281 | Washington, DC 20035-6281
Contact Us | Privacy Notice
Request Organization Information
DUNS: 045074054 | CAGE Code: 7PL42
Association for Federal Enterprise Risk Management is a registered 501(c)(3) non-profit organization. Contributions to AFERM are tax deductible to the extent permitted by law. Membership dues and event registration fees are not considered contributions.