The Risk Management Framework Is Dead. Long Live the RMF.


A framework is just that: a frame of reference from which to adapt according to your needs and situation.

The need for effective cybersecurity in the federal government is more important now than ever before.  Dr. Ron Ross, fellow at the National Institute of Standards and Technology, said it best earlier this year at the RSA Federal Summit: “We literally are hemorrhaging critical information about key programs.”

Frameworks such as the NIST Risk Management Framework, or RMF, help ensure organizations are able to address rampant cybersecurity threats by providing “a disciplined, structured, and flexible process for managing security and privacy risk.”  But a framework is just that: a frame of reference from which to adapt according to your needs and situation.

In an effort to speed the fielding of mission-critical systems, security-conscious agencies across the spectrum have been taking steps to streamline and simplify their approach to following the RMF in order to expedite receiving their authorizations to operate, known as ATOs. We’re seeing this in the Air Force’s “RMF Next” and “Fast Track ATO” initiatives; the Army’s pivot to a more agile RMF; General Service Administration’s collapse of ATO from 18 months to 30 days; the National Geospatial-Intelligence Agency’s “ATO in a Day”; and the intelligence community’s “Continuous ATO.”  These agencies are reimagining and reinventing the assessment and authorization (A&A) process to ensure that a check-the-box compliance mentality doesn’t jeopardize mission success.

Work Smarter, Not Harder

At first blush, it may seem that a fast-tracked approach to the RMF would jeopardize the goal of governmentwide reciprocity; if steps of the RMF are skipped or given short shrift, then an ATO would mean something different to each organization, eliminating the ability to trust systems ATO’ed by other agencies.  But that’s not the case.

Agencies that have successfully streamlined the RMF are not necessarily omitting requirements, they are just using automation, controls inheritance, transparency and risk management to work through the RMF more efficiently. In other words, they are working smarter, not harder.

With active leadership involvement, these agencies have been able to establish a commonsense approach to the A&A process in keeping with the RMF, assessing new technologies that haven’t been previously assessed, without reassessing the same infrastructure and organizational processes they have evaluated many times before.

With DevOps and SecDevOps at the forefront of IT modernization discussions, there has been an increase in various compliance-as-code initiatives.  Leveraging automation to continuously assess the technical controls will build the confidence needed to manage risk and support compliance requirements.

Solving for ATO

It’s clear that there are easier ways to tackle A&A and expedite the granting of ATOs. This flexibility in the RMF has always existed. The question organizations need to ask themselves is whether their internal security and risk management processes, both within and outside of the IT department, are mature enough to begin a fast-tracked ATO initiative.

Organizations that have successfully identified, assigned, implemented, monitored and maintained security controls across all control families are likely ready for this type of endeavor.  But those that first build the system or application and then start the A&A process are going to continue to fall short; such organizations should look to the NIST Cybersecurity Framework for guidance in building in security considerations from the start.

To move forward more efficiently, these organizations should take advantage of the awareness being generated around accelerated A&As to have conversations about this issue with their leadership. Leveraging the NIST Cybersecurity Framework and establishing an as-is and to-be state for your organization allows you to start from your current level of cybersecurity maturity.

Audit Fatigue

We recently came across a team that was trying to solve the problem of “audit fatigue” within their organization.  No mention of ATOs, just those two words that have come to represent the exhaustion that many in the security and compliance profession have felt for over a decade.

Many organizations are looking to quickly assess and authorize technologies to keep up with the demand for new applications and to efficiently satisfy organizational priorities. The term “audit fatigue” suggests a sense of helplessness that contradicts the positive impact that should come with innovation and new technology.  Fortunately, there is an increasing demand to relieve this fatigue within government and industry alike.

As we’ve seen, one way agencies are achieving this is by taking advantage of the flexibility of the RMF to fast-track ATOs—which is, and always has been, well within the agencies’ authority. That calls for balancing the information-assurance discipline of compliance with the flexibility needed to support the mission.

There‘s no denying that the rigors of compliance can be exhausting; but if instead we put the emphasis on organizational security and risk management, we will likely achieve compliance as a by-product.  It’s exciting to see agencies taking active measures to achieve that goal by reimagining the A&A process and introducing new flexibility and agility to the way they approach the RMF.

Richard Tracy is the chief security officer and Gianna Price is a compliance subject matter expert for Telos Corporation.