Authorizing Officials use the Framework as a checklist
“I’ve never met [an Authorizing Official] that they’re like, ‘Yes, my job is to help with security.’ It’s like, ‘No, my job is to make sure the checkboxes are checked.’”
When asked about the Risk Management Framework, developers, security experts, and Authorizing Officials universally talked about SP 800-53, the list of security controls or “the checklist.” Most had never read 800-37, the Risk Management Framework.
“I haven’t read it, but as I understand it, the document that establishes RMF is very simple.”
“What most agencies that I interact with have done is that they’ve gone out and, and bought some checklist that they can check off the boxes on and comply with the Risk Management Framework. So, you know, a lot of them may not have ever read the document.”
The National Institute of Standards and Technology has said that the Framework only offers recommendations, not mandates. As previously discussed, these recommendations are routinely interpreted by the Authorizing Officials and security professionals as checklists that must be completed for an authorization to be granted.
“I hate to say this so insultingly, but you can’t just wave a magic wand and have the security staff actually know things about security when their jobs have been doing paperwork checklists for decades.”
Using checklists is a reasonable approach given the circumstances. If Authorizing Officials are not technical enough to engage in meaningful security discussions with developers or if they do not have the time to dig into system details, the Framework provides them with a proxy method for completing security processes. Given both the real and perceived consequences for failing to follow the security controls, it is reasonable for Authorizing Officials to adhere strictly to the entire list of security controls.
“RMF is very checkbox focused and not security focused.”
“We shouldn’t be spending money to try and mitigate risk that doesn’t exist.”