Improvement may not be possible incrementally

All practitioners noted the need to update all or part of the Risk Management Framework, but many felt that incremental change was not possible. This led to a common theme that the RMF needs to be completely rethought.

“It’s like turning the Titanic. It could happen but if you did … the ripple effect would be very hard to predict and/or it would just monumentally fail.”

“I don’t see it getting any better absent congressional action to say this is the way we’re going to reinterpret agency risk management and cybersecurity technology.”

“Most of our mission owners don’t understand because they don’t understand what the actual problem is, that these are just fictitiously invented bureaucratic problems. These are not real technical problems. These are just figments that we’ve put up in our way and I am of the belief that that is a political problem, period. And right now there is no incentive for our government to change that, absent a real threat.”

One common understanding was that, when an emergency or a crisis required rapid response, the process was simplified dramatically or completely ignored in lieu of sound decision making. After, or in the absence of, a crisis, however, technical security reverted back to its less efficient state.

Back to top

This site was last updated on 9 OCT 2023.