Risk Management Framework & the Technical Security Process

A report written by Service Design Collective and published in July 2023

The original report is available for download on our website.

About this project:

The Federal government has created the Risk Management Framework (RMF) as the method by which technology products are evaluated for security, approved for use, and granted an Authority to Operate (ATO). The RMF applies to nearly every organization, private or public, that endeavors to provide the government with technology solutions. Because there is a great deal of flexibility purposefully built into the framework, its real-world application has led to different interpretations and practices.

For this body of work, we gathered a team of experts in the field of government technology and security. The team included specialists in system security, procurement, human centered design, engineering, federal regulation, policy, and law. Research contributors had more than 50 years of combined experience in government, including Federal Digital Service Experts, Hill staff, and Information Security Officers.

The bulk of the research contained in this report was conducted between August 2022 and July 2023. Given the breadth of technologies covered by the RMF, our research was focused on the development and deployment of software products and services. Our research interviews engaged with practitioners from the public and private sectors to better understand how the RMF affects Federal software development and procurement. This work highlights stories, examples, and current best practices from the field. We also gauged interest in developing new methods for managing technical security, both within and beyond the current framework. We shared the early research findings with government and industry experts to ensure multiple viewpoints were taken into account before this final report was made public.

This research was funded by a philanthropic grant.