Introduction
The Risk Management Framework is a set of security standards developed by the National Institute of Standards and Technology. It applies to all technical systems in the Federal government, except national security systems. The Risk Management Framework (the Framework or RMF) is also used by cities, states, and private sector companies. The Framework is a document outlining an approach to managing security. It is accompanied by several guides explaining how to apply the process to specific elements of technology.
Service Design Collective gathered a team of five experts in the field of government technology with more than 50 years of combined experience. Our team read through the Risk Management Framework and other supporting documentation related to Federal software development and then conducted multiple rounds of research interviews.
The primary goal of this research was to understand both the theory and the practice of the Risk Management Framework in the Federal government. We wanted to understand what worked well and what did not. We gathered stories of teams using the Risk Management Framework efficiently and effectively and we asked participants about the future of technical security in government.
Between August 2022 and June 2023, we spoke with more than twenty people, including Authorizing Officials, Senior Executives in security roles, policymakers, employees of private sector technology companies, and security consultants. Half of participants worked for the Federal government as senior executives or held the rank of GS-15, the highest level on the Federal Government’s “General Schedule” pay scale. The rest worked at private technology companies or in Congress. Eleven participants held related positions in more than one role (executive branch, legislative branch, or private sector) within the last five years. All participants had worked directly on either the management of security policy or the implementation of the Risk Management Framework in the last year.
Private sector participants held titles that included Chief Executive Officer, Head of Compliance, Policy, or Transformation, Principal Software Engineer, Security Engineer, or Staff Engineer.
Government participants held Chief and Senior titles in roles that included Information Officer, Information Security Officer, Cybersecurity Engineer, Staff Member, Deputy Director, Information System Security Officer, Digital Service Expert, or Contracting Officer.
We discovered that the Framework is a complex, personality-driven process. In theory, it provides a valuable foundation for security. In practice, it is unacceptably slow and expensive. It discourages modern security practices for all but the most inexperienced practitioners and delays or prevents the deployment of modern technologies that would help agencies achieve their missions. While some practitioners succeed in delivering effective security within an acceptable timeframe and at a reasonable cost, that is not the norm. Finally, even when the process is run efficiently, it produces sub-standard results.