Conclusion

When Congress wrote, and later updated, the Federal Information Security Modernization Act, it could not have known all of the ways it would affect security in the government. Clearly, its intentions were to improve data security across the enterprise and make it easier for the private sector to work with the government. The resulting Risk Management Framework and policy guidance were also well-intentioned and comprehensive. NIST sought to understand all possible risk and provide guidance that everyone could use.

NIST intentionally created the broadest understanding of risk they could, leading practitioners such as the MITRE Corporation to the conclusion that: “The number of controls and the relative merits and applicability of the controls is too much for any human being to keep in his/her head.” To counter that breadth, NIST built a great deal of flexibility into the Framework and wrote a series of guides dedicated to helping practitioners apply key areas of the policy. OMB followed-up with practical guidance for Federal agencies that encouraged a balanced approach to risk that took into account cost and mission outcomes.

For their part, Federal agencies developed authorization plans and tasked Authorizing Officials to implement the Framework in the context of the agency’s mission and risk posture. Agencies designated Authorizing Officials who took on the task of managing risk as best they could. They created individualized risk assessments and plans for almost every technical system in government.

Vendors and development teams worked together with Authorizing Officials and program offices to try and understand and manage risk. Everyone in the process took rational steps within the confines of the Framework and the incentive structures put in place by the Framework. It did not lead to efficient security outcomes.

The policy does not translate into effective risk management. Instead, the Framework leads to risk avoidance, both personal and professional. Without any entity acting inappropriately, the complicated incentives of the Framework led to a process that was slower, costlier, and less effective than intended.

The Framework increased reliance on legacy systems and reduced the number of commercial solutions available to the government. In some cases it degraded security and contributed to an increased likelihood of potentially harmful events, such as the inability to deliver key public and economic services. This was an outcome that no one wanted or foresaw, but it has become widely accepted that the Framework is too slow and cumbersome to be an effective tool for managing technical security. The Framework is legally required and cannot be abolished without Congressional action. Therefore, technical security has become a step separate from security compliance.

Precisely because everyone in the process is acting honestly and in their own best interests, changing the system is incredibly difficult. Many actors with differing, often competing, incentives must choose to act in concert and against their best interests in order for real change to happen. Most of our interview participants found this unlikely or impossible. Few could articulate a way to improve the Framework and many felt that the government would encounter serious failures before the process could improve.

Furthermore, in the absence of change, the inherent problems with the current system continue to worsen. Modern technology is increasing in complexity while it is also becoming easier to use. Technologies such as large language models are difficult for even seasoned technical experts to fully understand but make it simple for non-technical users to complete complex tasks, such as writing code or querying large data sets. As more people use more complex technology more frequently and in more contexts, NIST must consider new risks and incorporate them into the Framework. Authorizing Officials will need to manage more technologies and authorize new systems while maintaining an increasingly large portfolio of ongoing monitoring and reauthorization.

In its current state, the Framework will continue to grow in scale and complexity. New controls and overlays will be necessary to manage new use cases. The introduction of the new AI Risk Management Framework is a good example of how the paperwork struggles to keep pace with technology. This will increase the time and costs associated with authorizing new technology, exacerbating the fundamental flaws of the Framework.

There are short term approaches that would improve the current implementation of the Framework. A professional class of Authorizing Officials, with relevant expertise, adequate training, and reduced liability would deliver better results. A simplified ATO process focused on outcomes would help encourage security over compliance. NIST could narrow its focus to the most critical systems or write for a targeted audience, such as inexperienced practitioners or owners of legacy software. Across all parties, clearer communication and plain language would encourage greater understanding, clarify intent, and improve the quality of security dialogue.

Ultimately, however, the system itself must change. Managing security via paperwork and personalities can neither capture the dynamics of technical security nor can it keep pace with technological innovation. If technical security is to remain a human process, it must be drastically simplified so that its users can keep pace with current technical needs; pruned down to its essentials and re-written in clear, direct language. Culturally, the government must learn to accept greater risk and elevate the potential of mission failure as a key factor in technical security decision making. Failing to deliver benefits and services, in most cases, will lead to greater harm than the loss of data, especially when appropriate safeguards and failsafes are put in place.

The Framework is well-intentioned but it has become increasingly cumbersome and ineffective at managing security as technology has evolved.