After months of vowing to “blow up” the Risk Management Framework (RMF), Katie Arrington, the Pentagon’s acting chief information officer (CIO), announced today that her office will release a revamped version of the framework in the coming weeks.

“So, [the new] RMF, you will be seeing a letter coming out of my office in the next couple of weeks with [those] 10 Commandments,” Arrington said during the Billington CyberSecurity Summit in Washington.

The RMF was implemented in 2022 under then-CIO John Sherman to govern risk throughout the lifecycle of technology systems, from development and acquisition to deployment and sustainment within the Department of Defense (DOD) – which the Trump administration has rebranded as the Department of War.

The framework – which implements the Federal Information Security Modernization Act (FISMA) and adheres to cybersecurity standards set by the National Institute of Standards and Technology’s Special Publication 800-53 – was meant to provide structure and consistency in securing defense IT systems, but in practice has drawn criticism for being overly bureaucratic and inflexible.

Since taking over as acting CIO earlier this year, Arrington has consistently signaled her intent to replace the RMF with a more agile, responsive approach – one that maintains rigorous security standards without slowing innovation or operational readiness.

There has been growing curiosity around what the new RMF will actually look like, and what “blowing it up” truly means in practice. Part of the plan, according to Arrington, includes determining how to move away from the traditional framework while still ensuring security and compliance.

“It’s the 10 Commandments,” Arrington said of the upcoming guidance. “They include continuous monitoring, training, relooking at what a [cybersecurity service provider] is, and embracing continuous [authorization to operate.]”

Internal discussions around the overhaul began earlier in the summer with the department’s chief information security officers and have since expanded to include key stakeholders across defense components, including the offices of Acquisition and Sustainment and Research and Engineering.

The DOD identified five core tenets to guide the reformed approach, which were shared with industry in a request for information to gather feedback and help shape the path forward.

“The goal [was] to retain strong cybersecurity standards without sacrificing speed and innovation,” Arrington said.

The forthcoming guidance, which will be issued via a formal letter from her office, is expected to provide more detail on the new “10 Commandments” and how the updated RMF will be implemented across the department.

Read More About
Recent
More Topics
About
Lisbeth Perez
Lisbeth Perez is a MeriTalk Senior Technology Reporter covering the intersection of government and technology.
Tags