The Framework struggles to keep up

The RMF struggles to keep pace with the demands of modern technology. The Framework’s size and complexity make it increasingly difficult and time consuming for practitioners to manage.

“The challenge that we’ve seen over time is that the process hasn’t fundamentally kept up with rapid change, particularly relative to how we manage environments, how we develop applications, and who developed applications.”

The library of NIST publications continues to grow larger and more complex as it attempts to keep pace with the speed of technical innovation. As technology is developed and deployed at an increasingly swift pace, a checklist-based management of that technology grows more complex. A more complex process makes it harder, slower, and more expensive to authorize new software, compounding the problem. This has caused the gap between private sector and public sector software capabilities to grow dramatically.

“I don’t even know how many different series of publications that NIST has. They have the SP 800 series, like 800-53, but there’s also the 1800 series, the 1900 series. There’s NISTIR, there’s whitepapers, technical notes, and several other types of series.”

“The AI RMF is similar, you know, it is looking at risk management specifically in that AI context, meant to complement the Risk Management Framework and the privacy framework and other frameworks that NIST has.”

Many practitioners lamented the slow pace of the security assessments themselves. The Framework is a methodology that is used to create another document: an Authority to Operate (ATO). Estimates varied based on the complexity and risk analysis of the software in question, but it is common for ATOs to take six months, or longer, to receive. Several practitioners were involved in ATO approvals that took more than two years. Every practitioner we interviewed cited the need for the process to move more quickly.

“The ATO process is kind of impossible because… it takes so long to write all those documents and get them approved and security just moves so quickly in terms of what the most secure posture is and, because of the bureaucracy, we just can never keep up.”

Even updates to existing systems can be laborious, leaving the government with outdated technology for extended periods of time. At best, system functionality may degrade slowly or useful features may remain unavailable. At worst, systems may be vulnerable to exploitation while solutions languish in the review process.

“The RMF does make it very, very difficult for people to keep things up to date.”

“I can find all the vulnerabilities, then it takes six months to fix it. And I’m like, what the heck is that? You totally defeat the purpose. You’ve created a process that takes forever to make a change.”

Every computer system operating in government is required to have an ATO. Put into perspective, the Department of Agriculture manages approximately 80,000 software programs. With a conservative estimate, where an ATO takes only three months to receive, the total time spent on managing security paperwork for the software in just one agency would approach 20,000 labor years. The cost of managing those same compliance processes quickly stretches into billions of dollars.