Shorten the Framework & use plain language
NIST should dramatically shorten adn re-write the Risk Management Framework in plain language. NIST states that the Framework documents are meant for a broad audience, including many non-technical senior executives, program officers, and civil society and private sector partners. As it is, the Risk Management Framework is difficult to understand and navigate. Its sheer size is intimidating. It requires at least a college reading level to understand, to say nothing about the technical knowledge required to correctly implement it. Plain language would also make it possible for members of the general public, including the media, to understand how the government manages technical risk and hold it accountable.
Unfortunately, despite Federal plain language guidance and best practices, the Framework remains out of touch for many key stakeholders. We interviewed more than twenty practicing security professionals who, despite their reliance on it, had read only a few, if any, of the documents. Even fewer took advantage of the flexibility and adaptability allowed by the Framework. Those who did rarely encountered counterparts, developers or Authorizing Officials, with a similar level of understanding.
In the rare case of projects in which program managers, developers, and Authorizing Officials all collectively agreed on the intent and flexibility of the Framework, authorities to operate were approved in as little as hours or weeks.
The relative inaccessibility of the Risk Management framework is a security risk. When experienced professionals cannot, will not, or do not have time to read policies and guidance, they cannot implement it successfully. If NIST wants teams to benefit from the Framework, they need to understand who their readers are and how they are using the documents. If they understand their audience, they can write in a way that is inclusive, accessible, and useful. People will not follow guidance they cannot understand.