The Framework hurts productivity

“It goes without saying maybe, but I’ll say that I think a more serious constraint is [that] we can’t use all of these software and tools in the workplace that are actually relevant to us understanding how to do our jobs better.”

NIST explicitly states that the Framework should not impede an agency’s mission:

Further, information systems process many types of information. Not all of these information types are likely to have the same security impact levels. The compromise of some information types will jeopardize system functionality and agency mission more than the compromise of other information types. System security impact levels must be assessed in the context of system mission and function as well as on the basis of the aggregate of the component information types.

-SP 800-60, 4.3 Step 3: Review Provisional Impact Levels and Adjust/Finalize Information Type Impact Levels

In spite of that statement, there are CIOs that have delayed large programs, at great cost to the mission of the organization, in order to complete paperwork.

“It was like this tiny, tiny thing that was not a security issue that caused months of delay in the launch of this big system. Tens of millions of dollars invested in the development of the system that the CIO shop was just not willing to sign off on.”

There is no explicit instruction on how to prioritize mission over security. The Risk Management Framework does not consider opportunity costs built into the speed of the Authority to Operate process or its effects on the way the Federal workforce uses technical tools. A year spent on paperwork is a year in which slow, outdated, insecure systems may stay in operation. This delay becomes a cascading effect as the Framework gets larger and more complex.

When systems are authorized, certain functions or features are often disabled or, in the case of in house development, are never built. This can reduce the effectiveness of the solution and slow productivity. Other security requirements can slow or disable critical hardware, such as laptops.

”[The agency] was moving to Office 365… they have cloud based tools that you can collaborate in and all those things. But when Office 365 rolled out they turned off all of those features. What is the point of having Office365? It was like you’re gonna have all of these features completely turned off.”

The public is also heavily impacted by the Framework process in their day-to-day interactions with the government.

“So if we don’t get our house in order, if we don’t remove all these points of friction, there’s no way [my agency] or anybody else is going to deliver a pleasant experience to the beneficiaries or any of the other stakeholders.”

Back to top

This site was last updated on 9 OCT 2023.