This paper presents the potential benefits of the Risk Management Framework and the challenges that organizations may face in its implementation, offering recommendations for overcoming these challenges and achieving benefits.
The Risk Management Framework (RMF) promulgated by the Joint Task Force provides organizations with a structured yet flexible approach to identify and prioritize the risks of depending on information, communications, and cyber-physical technologies; thus enhancing the ability to manage those risks. RMF implementation is in varying stages of maturity throughout the US Government. The RMF offers promise, but its implementation thus far raises questions and concerns about the direction the Federal government is taking to manage risk in a timely manner. Managing these cyber risks effectively requires organizations – and their mission or business elements, acquisition or procurement elements, and system owner-operators–to make political, cultural, and technical changes. This paper presents the benefits the RMF is designed to provide, challenges that organizations have faced, and recommendations to overcome those challenges and achieve the benefits.