New Army IT chief mulls risk management reform

Retooling legacy cyber processes, such as the risk management framework, is a top priority for Lt. Gen. John Morrison, the Army's new Deputy Chief of Staff, G-6.

risk management (oatawa/

The Army's newest IT chief is looking at reconfiguring the risk management framework among other legacy security processes.

Lt. Gen. John Morrison started as the Army's new Deputy Chief of Staff, G-6, in late July following the split of the CIO/G6 role into separate positions and offices.

With just a couple of months in the job, Morrison already has a new set of priorities: unifying the Army's tactical and enterprise network needs and approaches; prepping cyber and signal personnel for multi-domain operations; driving effective investments in networks and cyber that fit with Joint Force priorities; and reforming cybersecurity processes, like RMF.

Morrison, who was previously the chief of staff at U.S. Cyber Command, said the goal is to move away from unnecessarily bureaucratic "periodic reviews" to an uniformly implemented process that ensures applications, systems, and networks are secure before they're deployed.

RMF implementations have not fully matched with the framework's initial intent, which was more along the lines of continuous monitoring to assess risk. Those risks were either operational to the broader DOD Information Network or specific to missions being conducted, both of which require threat-informed decision-making on whether to accept risk.

"It's not a matter of replacing it totally. So I believe the intent of what the risk management framework was supposed to be was on target, I just don't know if we have executed it -- and this isn't just the Army, this is across all the departments -- I don't know if we've executed it consistently," Morrison told reporters Oct. 27.

This idea isn't new. The Army, and DOD writ large, have talked about the struggles with implementing the framework, which was often looked at like a compliance checklist, even when it came to personnel training.

If successful, Morrison's vision could mean increased focus on operations, maintenance, defense, and security of DOD's networks rather than processes.

RMF reform, he said, is "really making sure that we do the right work on the front end" but shorten the amount of time and money that goes into preparing artifacts that "I'm not 100% sure we need at this point and focus those resources on the operations of cyber security."

Morrison also said the G-6 office is focused on hiring to fill vacant positions, including more cloud, data, and cyber (security and operations) talent through alternative hiring practices, such as direct hiring, cyber excepted service, and hosting hiring events. Full operating capability likely won't be hit until later in fiscal 2021.