The Risk Management Framework covers the basics
“Before RMF it was a crazier world. It got too crazy. So that’s where the government kind of pushed back and said we need a standard way of viewing this.”
The Framework has helped many teams manage security in an organized, repeatable way. Almost every practitioner we spoke with said that the Framework was useful at times. Some compared it favorably to a time before the Government Information Security Reform Act of 2000 (GISRA) when there was limited understanding around how to manage risk.
“I remember looking back with the passing of GISRA, we had authorized our first information system and it was foundational. It was really helpful because you have to think about what was there before it. There was no formal discipline corresponding to having an understanding of your architecture, having an understanding in your control implementations, or how things were done to specifically secure technical components, to operationalize management process oriented components. So there is value in what is there.”
Others noted that the RMF can prevent inexperienced technical teams from releasing insecure software.
“I have seen teams who have been blocked by the ATO process because they have no clue what they’re doing.”
Other practitioners commented on the value of the Framework as a thought exercise or prompt to help them identify and mitigate issues they may not have considered.
“Best practices are time consuming… but it also does force you to grow up.”
By far, the most common sentiment was that the Framework provides legitimate security benefits at a very high cost, both financially and in terms of labor hours. Many felt that the cost was too high.
“So it works from a security perspective. It’s conservative and expensive, but it works.”
“Are there benefits to the security? Well, there are some, but those benefits aren’t commensurate with the cost.”
“It’s expensive.”