The Risk Management Framework Is Dead. Long Live the RMF.

This post first appeared on Next Gov. Read the original article.

A framework is just that: a frame of reference from which to adapt according to your needs and situation.

The need for effective cybersecurity in the federal government is more important now than ever before.  Dr. Ron Ross, fellow at the National Institute of Standards and Technology, said it best earlier this year at the RSA Federal Summit: “We literally are hemorrhaging critical information about key programs.”

Frameworks such as the NIST Risk Management Framework, or RMF, help ensure organizations are able to address rampant cybersecurity threats by providing “a disciplined, structured, and flexible process for managing security and privacy risk.”  But a framework is just that: a frame of reference from which to adapt according to your needs and situation.

In an effort to speed the fielding of mission-critical systems, security-conscious agencies across the spectrum have been taking steps to streamline and simplify their approach to following the RMF in order to expedite receiving their authorizations to operate, known as ATOs. We’re seeing this in the Air Force’s “RMF Next” and “Fast Track ATO” initiatives; the Army’s pivot to a more agile RMF; General Service Administration’s collapse of ATO from 18 months to 30 days; the National Geospatial-Intelligence Agency’s “ATO in a Day”; and the intelligence community’s “Continuous ATO.”  These agencies are reimagining and reinventing the assessment and authorization (A&A) process to ensure that a check-the-box compliance mentality doesn’t jeopardize mission success.

Work Smarter, Not Harder

At first blush, it may seem that a fast-tracked approach to the RMF would jeopardize the goal of governmentwide reciprocity; if steps of the RMF are skipped or given short shrift, then an ATO would mean something different to each organization, eliminating the ability to trust systems ATO’ed by other agencies.  But that’s not the case.

Agencies that have successfully streamlined the RMF are not necessarily omitting requirements, they are just using automation, controls inheritance, transparency and risk management to work through the RMF more efficiently. In other words, they are working smarter, not harder.

With active leadership involvement, these agencies have been able to establish a commonsense approach to the A&A process in keeping with the RMF, assessing new technologies that haven’t been previously assessed, without reassessing the same infrastructure and organizational processes they have evaluated many times before… >Read More

Comments (1)

Do you not actually find this more concerning and problematic, as you look at how lower levels of management love to find excuses to bypass security (e.g. “The AF said it’s innovation, so it takes precedence” — so the leadership on the IT side tells their cybersecurity shop to push it through anyway — cybersecurity often takes a backseat to promotion and power. There are a lot of lofty goals out there, but so far, none have borne real results.

Leave a Reply

Your email address will not be published. Required fields are marked *