Transitioning to the Risk Management Framework: Potential Challenges

Patrick Sullivan
March 31, 2016 • 2 min read

In 2009 the Joint Task Force Transformation Initiative Interagency working group was established with a vision to produce a unified information security framework in the federal government for both national security and non-national security systems. The framework was built to leverage NIST standards, which were in practice within some elements of the government in 2009.

The working group consisted of personnel representing NIST, the Department of Defense (DoD), and the Office of the Director of National Intelligence (ODNI). They developed a set of core publications that provided the foundation for implementing this vision of a unified information security methodology for the federal government, reflected today in the NIST Risk Management Framework (RMF).

As the intelligence community (IC) began its transition to the RMF by implementing the JTFTI publications, the DoD initiated its own working groups to define their implementation requirements for this framework. Fast-forward to today and these major segments of the government have adopted the RMF, and are undertaking the transition with various approaches.

However, as happens with any major change, the transition to the RMF has the potential for presenting challenges to the organizations involved.  For example:

  • One of the key features of adopting a unified standard across these diverse government segments is the concept of reciprocity. All too often in these transitions, resistance is encountered across the security practitioner user base.  This results in a lack of full understanding of the RMF, which maximizes the rework needed for authorizations and carries forward the inefficiencies of the past.
  • The quantity of controls under the RMF control catalogue, which assessors are responsible for addressing, has increased significantly for the DoD and IC when compared to their legacy policies. In order to accurately address these controls, a well-constructed common control model needs to be defined and implemented.   Maintaining groups of like controls outside of individual authorization packages can offer significant time savings for involved stakeholders.
  • It is often difficult for organizations to adopt the utopian process vision within RMF because of existing procedures and business practices. These customized processes tend to result in inefficiencies within the RMF and create workaround solutions which then become organization-specific implementations, thus reducing the effectiveness of reciprocity not only for a particular segment of the community but also across other segments.

The next part of this series will address these challenges and lessons learned, and will provide insights into an effective RMF transition.

Patrick Sullivan
Vice President—Xacta Solutions & Services, Telos Corporation
Mr. Sullivan holds a MS, BS and AAS in Information Systems and CISSP, CEH, CHFI certifications.
Read full bio
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Dave Wagner

Great post Patrick- especially liked you pointing out the result of existing procedures and business practices that inhibit successful adoption of the RMF. Transitioning to the RMF requires the conventional standards to evolve, not just ve dusted off. Looking forward to reading the next part in the series!

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.