At the end of the day, agencies are in charge of security

“A lot of perverse incentives keep agencies from making smart, risk-based decisions that need not be there. And a lot of them are cultural, they’re not legal, they’re not even policy in a lot of standpoints. It’s just worrying about the counterfactual versus taking the actions that an executive is charged with taking.”

When asked, “Who is in charge of the ATO process?” respondents universally said that agencies ultimately made all security decisions. Despite NIST’s legislative mandate to create the RMF, and OFCIO’s role in providing guidance, neither organization had a significant effect on how the Framework is used day-to-day. NIST cannot make agencies use the Framework the way it was intended. OFCIO does not have the authority to make agencies tailor their controls to reasonable, cost-effective levels. Agencies will use the framework in a way that makes the most sense to them, given their environment. This includes adapting to conditions and incentives unrelated to security.