Update documents more frequently
Software security is a rapidly evolving field that requires continuous updates and evaluation. Policies should be evaluated regularly and kept up to date.
The current iteration of the RMF began in 2004 with the deprecation of FIPS 102 and the introduction of FIPS 199 and SP 800-37. FIPS 199 has not been revised since 2004. 800-37 was not revised until 2018.
Older documents can create conflict with modern policies. For example, portions of FIPS 200’s Minimum Security Requirements (written in 2006) could be construed to prohibit or limit efforts to move toward zero trust environments, a priority of previous and present presidential administrations. This conflict was unavoidable at the time FIPS 200 was written, as zero trust concepts did not emerge until 2010. FIPS 200 has not been updated for seventeen years, creating confusion as to how the two policy objectives might interact.
Documents that are three years out of date raise suspicion in the minds of many security professionals. RMF documents, on average, are nearly nine years out of date. We recommend that NIST review documents every two years, three at maximum. When they do not require substantive changes, NIST could mark them prominently as current to reflect their continued relevance. This could include putting the new document version checker button1 on each document to let the public know it is current. More frequent updates will increase confidence in the relevance of RMF documents.