Beyond Compliance-Addressing the Political, Cultural and Technical Dimensions of Applying the Risk Management FrameworkJanuary 2015
Topics: Information Security Risk Management, Risk Management, Program Development/Management
The Risk Management Framework (RMF) promulgated by the Joint Task Force provides organizations with a structured yet flexible approach to identify and prioritize the risks of depending on information, communications, and cyber-physical technologies; thus enhancing the ability to manage those risks. RMF implementation is in varying stages of maturity throughout the US Government. The RMF offers promise, but its implementation thus far raises questions and concerns about the direction the Federal government is taking to manage risk in a timely manner. Managing these cyber risks effectively requires organizations – and their mission or business elements, acquisition or procurement elements, and system owner-operators–to make political, cultural, and technical changes. This paper presents the benefits the RMF is designed to provide, challenges that organizations have faced, and recommendations to overcome those challenges and achieve the benefits.