Army looks to retool risk management

secure chip (Virgiliu Obada/ 

The Army is retooling its risk management approach to better fit operational needs.

According to Col. Donald Bray, the Army's acting cyber director, the Defense Department’s risk management framework (RMF) guidance was less about removing all traces of risk and more about learning how to carry and cope with residual risk after mitigation.

"We've always been allowed, in the policy, to tailor it for our operations," Bray told FCW on the sidelines of a May 22 conference hosted by AFCEA. "And we're just at that point where we’re really looking at how to optimize, how to select which controls really apply to us, how to…not redo work, and how to tie that into operations so that we can continue monitoring that."

Shifting the Army's RMF strategy is a major cybersecurity priority for Army CIO Bruce Crawford, and tweaking it over the next few months will be an important challenge, Bray said.

Three years in, the Army and DOD are "now is the point where everybody should be moving RMF," Bray said.

The Army hosted a mini-conference on RMF earlier this year to kick-start the planning process at the leadership level in hopes of producing "more template" guidance throughout the organization, he said, noting that the current guidance doesn't work as well in certain areas.

"It works better for traditional IT," Bray said, but challenges emerge dealing with weapons systems and industrial control systems and property management systems.

The effort is expected to unfold over the next few years, Bray said, adding that a full implementation plan should come out this summer.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.