The Department of Defense (DoD) is looking for input from industry on its plans to “blow up” the agency’s Risk Management Framework (RMF) while switching to a real-time cybersecurity posture.
The RMF ensures compliance with National Institute of Standards and Technology (NIST) cybersecurity standards and implements requirements under the Federal Information Security Modernization Act (FISMA).
The Pentagon has said its decision to overhaul the RMF is aimed at transitioning from a compliance-first approach to automated real-time cybersecurity operations.
“The Government is seeking input from industry to better understand current capabilities, innovative solutions, and business practices that can support revamping RMF to streamline the approval process for operational capabilities, ensuring expedited deployment for the Warfighter,” reads the request for information (RFI) published to SAM.gov on June 24.
Responses to the RFI are due on July 24.
Specifically, the RFI requests an overview of how cybersecurity, resilience, and risk management are built into systems from design to deployment. It emphasizes integration of security-by-design, survivability, and compliance with evolving standards.
It also seeks details on testing, monitoring, and remediation tools – especially those using automation and centralized reporting. The goal, according to the RFI, is to ensure real-time threat detection, continuous improvement, and alignment with industry frameworks.
“When we look at … the problem, in my opinion, [of] the [current RMF] implementation being paper-driven, one-time sort of assessments, and sort of slow to pull in more modern approaches, I think that’s what we want to blow up, right? It’s really the implementation and how it works today,” said Rob Vietmeyer, the chief software officer at the DoD, who recently explained the Pentagon’s decision to overhaul the framework.
The RFI published Tuesday is the first requesting feedback on the RMF overhaul efforts and follows other recent RFIs the department published on its Software Fast Track (SWFT) framework.