Agencies struggle to implement the Framework effectively

“The Risk Management Framework, I believe, in theory, is still fine and mostly valid as a way of thinking through a decision making process when it comes to IT and procurement and budget things like this. But no agency actually manages risks.”

Several factors affect an agency’s ability to implement the Framework but even the most successful Chief Information Security Officers struggle to balance the financial and time costs with real-world security advantages. Agencies often lack the technical security talent to understand where they can derive value from the Framework and when to skip unrelated or unhelpful security controls.

“We could spend a year or two giving an ATO, we still would not achieve anything.”

Every agency security professional we interviewed felt the Framework was a compliance exercise. Some recognized value in the Framework, but struggled to balance the theory of the Risk Management Framework with the real implementation challenges. Most attempts to modernize it or integrate it into development were ultimately abandoned.

“I would make it more agile. I think it needs to fit how you build, I mean not the other way around. When you’re driven purely by compliance, that is not gonna fit the best practices for UI, UX, for engineering, for research, for … nothing. It just enforces a different, and to me, outdated way of building which is; you write it all down and (essentially waterfall methodology) gather all your requirements. And you build out the entire system on paper, get it authorized, then you actually build it, right? So it’s years before it actually touches a user and you realize, ‘oh this didn’t work, we need to change it.’ Oh, you can’t because that’s what your ATO said.”