Federal Agencies
Each Federal agency has a unique mission and programmatic goals separate from technical security. The Risk Management Framework process is often at odds with those goals. This conflict can take several forms. An agency may want to implement a new legislative mandate within a fixed timeline or respond quickly to an emergency situation by deploying new software on a timeline that the Framework does not permit. In accordance with OMB policy, they may want to move away from legacy systems and toward cloud infrastructure or digitization of public services, but find it easier to manage the Framework using servers and mainframes.
In each instance, they will be confronted with a choice: Move forward and contend with the RMF process or remain on existing legacy systems that already have an approved ATO. Or, they may choose to outsource a program or simply go around the Risk Management Framework. These unapproved programs are referred to as “shadow IT” and are pervasive in government.
When the decision is made to implement new software, the RMF process often limits what that software can do, preventing useful features from being implemented or limiting the utility of service offerings. In other cases, the process ends at an impasse, with technical teams unable to provide adequate answers for controls that do not seem to apply to their software. This may result in a waiver or simply delaying the completion of controls to a later date via a Plan of Action and Milestones (POAM). Several interviewees remarked on systems with multiple unresolved POAMs that have remained unresolved through rounds of authorization reviews over months and years. These are known issues that are simply never addressed.