Army looks to retool risk management

The Army is retooling its risk management approach to better fit operational needs.

According to Col. Donald Bray, the Army's acting cyber director, the Defense Department’s risk management framework (RMF) guidance was less about removing all traces of risk and more about learning how to carry and cope with residual risk after mitigation.

"We've always been allowed, in the policy, to tailor it for our operations," Bray told FCW on the sidelines of a May 22 conference hosted by AFCEA. "And we're just at that point where we’re really looking at how to optimize, how to select which controls really apply to us, how to…not redo work, and how to tie that into operations so that we can continue monitoring that."

Shifting the Army's RMF strategy is a major cybersecurity priority for Army CIO Bruce Crawford, and tweaking it over the next few months will be an important challenge, Bray said.

Three years in, the Army and DOD are "now is the point where everybody should be moving RMF," Bray said.

The Army hosted a mini-conference on RMF earlier this year to kick-start the planning process at the leadership level in hopes of producing "more template" guidance throughout the organization, he said, noting that the current guidance doesn't work as well in certain areas.

"It works better for traditional IT," Bray said, but challenges emerge dealing with weapons systems and industrial control systems and property management systems.

The effort is expected to unfold over the next few years, Bray said, adding that a full implementation plan should come out this summer.