The Army wants to re-do how it manages cyber risk

Army Deputy Chief of Staff G-6 Lt. Gen. John Morrison conducts a virtual mentoring session with high school students in February 2021.

Army Deputy Chief of Staff G-6 Lt. Gen. John Morrison conducts a virtual mentoring session with high school students in February 2021. U.S. Army photo by Edward Loomis

The service is working to stand up a risk management council in the coming month.

The Army is in the final stages of creating a council dedicated to improving how it manages technical and operational risks to the network. 

"We are realigning how we approach our authorizing officials," said Lt. Gen. John Morrison, the Army's deputy chief of staff, G-6, during a keynote speech at the AFCEA TechNet Cyber conference in Baltimore on April 26. 

"For too long, we would allow system authorizing officials who, the second they signed off on putting someone on the network wouldn't see them again, to have a say in what risks they were accepting." 

Instead, Morrison said, there will be the Army Risk Management Council that will help deconflict positions between authorizing officials by either making an "Army level decision on what risk is truly acceptable" or one to "apply the appropriate resources to buydown that risk" with personnel, funds, or time. 

The council, which is in final staffing stages and is expected to stand up in the next month, will be chaired by the Army G-3, which focuses on operations and training, and the chief information officer with the G-6 serving as "the gatekeeper to make sure the appropriate issues go into it," the general said. 

The move is part of a broader effort to reform its cybersecurity processes and particularly the Army's Risk Management Framework. The Army's Unified Network Plan stresses the need for reform to reduce "repetitive, time-intensive and burdensome processes, and focus on operational processes like penetration testing and continuous monitoring." 

To do this, the Army wants to expand its use of "inherited controls and reciprocity among organizations" as part of a shift to what it calls RMF 2.0, which focuses on "active security, defense, and monitoring of critical network and weapons systems," according to the plan. 

But reform doesn't mean "blowing up bureaucracy" but adjusting the levels of it to do an initial risk assessment, Morrison said. 

The goal is to "establish network authorizing officials, who give that final clear to the rear on connecting to the network, the ones that actually have to provide that operational oversight, the ones who actually have to provide recommendations back, on the risk that is really being assumed if something has a vulnerability in it," he said of the new council.

"And then when we identify risk, because intelligence is absolutely critical here, we now have a mechanism to adjudicate that risk at the Army level that will help us move forward much more rapidly than we have in the past."