Skip to main content
Link
Menu
Expand
(external link)
Document
Search
Copy
Copied
About This Project
Introduction
NIST
The RMF covers the basics
NIST writes for everyone
The RMF is growing
The RMF struggles to keep up
The RMF is not realistic
The RMF acts as an upper limit
Improvement may not be possible incrementally
OMB
OFCIO can't enforce RMF
Agencies are in charge
Federal Agencies
RMF incentivises imperfection
Agencies struggle with effectiveness
RMF hurts productivity
Inconsistencies within agencies
Authorizing Officials
AOs need training
AOs are paperwork experts
Fear leads to poor decisions
Success is not about the mission
AOs use the RMF as a checklist
Approval is relational
Changing incentives
Vendors
Inconsistency creates uncertainty
Technical misalignment
The cost is high
RMF reduces competition and options
Recommendations
This is not a checklist
Shorten & plain language
Update A-130
Update documents frequently
Professionalize the AO role
Consider a narrative approach
Do away with the RMF
Conclusion
Acknowledgements
Appendices
A RMF relationships between documents
B Documents reviewed
C Reports & references
D Acronyms
About Us
Security and the RMF
Service Design Collective
Recommendations
Table of contents
This is not a checklist
Shorten & plain language
Update A-130
Update documents frequently
Professionalize the AO role
Consider a narrative approach
Do away with the RMF