Do away with all or part of the Risk Management Framework

Congress should remove the explicit requirement in the Federal Information Security Modernization Act (FISMA) tasking NIST to create a Risk Management Framework. By doing so, Congress will not eliminate the Risk Management Framework, rather it will allow NIST to consider alternate methods for understanding and managing technical security.

Twenty years ago, the risk management process made technical security a priority at a time when it was not commonplace to consider the risks associated with technology. Now, however, technical security is a well-known, if sometimes misunderstood, process. Without a formal framework, it is reasonable to believe that security experts and developers today would still consider system security as part of their professional responsibilities. Agencies would still develop authorization procedures tailored to their unique risk posture. Oversight bodies would still hold the government accountable for failures to protect Federal data. NIST would still play a vital role in the strategic understanding and categorization of risk. They would all simply do so without the burden of an extensive and outdated compliance process. In short, they would not be beholden to the checklist mentality or the categorization trap if there were no checklist or categories.

This recommendation is less risky than it sounds. Practitioners repeatedly pointed out that technical security decisions were made separate from the Framework compliance process. Because security decisions have become so divorced from security compliance, the risk of reducing or eliminating compliance processes produces very little actual risk. If the goal of the Framework is to raise awareness of security issues and begin an honest dialogue between security experts and development teams, a much simpler, less prescriptive process would be more effective and much more likely to become a routine part of the development of Federal products, processes, and policies. In essence, less compliance would lead to better security.

This recommendation requires an act of Congress. FISMA specifically tasks NIST with creating the Risk Management Framework. Until FISMA is rescinded or reformed, NIST must continue to produce some form of Framework and agencies will rely on increasingly outdated methods for managing security compliance.