Army looks to retool risk management

secure chip (Virgiliu Obada/ 

The Army is retooling its risk management approach to better fit operational needs.

According to Col. Donald Bray, the Army's acting cyber director, the Defense Department’s risk management framework (RMF) guidance was less about removing all traces of risk and more about learning how to carry and cope with residual risk after mitigation.

"We've always been allowed, in the policy, to tailor it for our operations," Bray told FCW on the sidelines of a May 22 conference hosted by AFCEA. "And we're just at that point where we’re really looking at how to optimize, how to select which controls really apply to us, how to…not redo work, and how to tie that into operations so that we can continue monitoring that."

Shifting the Army's RMF strategy is a major cybersecurity priority for Army CIO Bruce Crawford, and tweaking it over the next few months will be an important challenge, Bray said.

Three years in, the Army and DOD are "now is the point where everybody should be moving RMF," Bray said.

The Army hosted a mini-conference on RMF earlier this year to kick-start the planning process at the leadership level in hopes of producing "more template" guidance throughout the organization, he said, noting that the current guidance doesn't work as well in certain areas.

"It works better for traditional IT," Bray said, but challenges emerge dealing with weapons systems and industrial control systems and property management systems.

The effort is expected to unfold over the next few years, Bray said, adding that a full implementation plan should come out this summer.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected