Write “This is not a checklist” on every page of the framework

The most common misunderstanding in the risk management process is that the Framework is seen by many as a checklist of security tasks rather than a menu of potential security issues to consider when authorizing a system. NIST and OMB both state that agencies should tailor security requirements to those that are relevant to a particular system and threat environment. They both state that mission needs and cost should be considered when managing risk. Both sentiments, however, are lost in the lengthy, dense, and bureaucratic Framework literature.

If NIST believes that this misunderstanding is problematic, they could reinforce their guidance by repeating it in every document they produce. SP 800-53 implores readers not to use the controls as a checklist, but that message has not broken through and is therefore worth reiterating on every page. Most practitioners do not read SP 800-53 as a narrative, they treat it as a reference manual. Because they skip to the relevant controls to better understand specific details rather than treating it as a holistic guidance, it is worth reiterating important guidance throughout the document. NIST should reinforce the behavior they want Authorizing Officials to take on every page of SP 800-53 and, if necessary, the entire Framework.

While this recommendation does not address the larger challenges of managing modern security with a twenty year old paperwork process, it is cheap, easy to implemnet, and can be done immediatly.