Risk Management Framework adoption hits stumbling blocks at DOD

The Pentagon (Photo by Ivan Cholakov / Shutterstock) 

Moving the Defense Department's authorization process for IT systems from the DOD Information Assurance Certification and Accreditation Process to the Risk Management Framework was supposed to provide better results. But the culture of compliance seems to be an impediment.

"It's hard to train people to assess risk," DOD Acting Deputy CIO for Cybersecurity Thomas Michelli said during a keynote presentation at the ACT-IAC's membership meeting Nov. 28. "People like compliance because it's black and white." 

The framework requires IT specialists accept risk, he said, including the results of someone else's testing. But without it, things can slow down.

"RMF can be much more effective than past ways of doing accreditation or assessments," he said. "It's just people have to have the knowledge, skills and intestinal fortitude to do it, and then sign their name at the bottom saying, 'I accept the risk.'"

But there have been some successes. The Air Force's agile software development factory, Kessel Run, has been able to build RMF controls into code for the F-35's logistics system, Michelli said. Eventually, RMF will evolve and become more automated, possibly using machine learning techniques.

The Army is in the midst of retooling its RMF strategy to better fit operational needs through dispersing template-based guidance across the organization and a full roll out in the next three years.

"If RMF is used right, it can be much faster, Michelli said. "It's an evolving thing."

The Defense Department is also contending with supply chain risks in the industrial base. In addition to task forces, which look at how to evaluate what the Defense Department is buying and best assess third-party threats, the department is contemplating new approaches to risk, including double checking industry partners' systems.

"If you contract with the Department of Defense, you have to meet a certain standard: 800-171, a NIST standard," Michelli said. "In the past, for most cases, we took self-assertion that [industry partners] were meeting it. Now, because the clause allows us to do it, we're going out and actually assessing that you're actually doing it because we have found that there are some problems," he said.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.