The Defense Department has issued its first call to industry in a promised effort to “blow up” its implementation of the Risk Management Framework, the scheme the department uses to assess and certify the cybersecurity of its IT systems.
In a brief request for information published Tuesday, the department asked vendors for input on specific questions. Most questions deal with how other organizations design their systems with cybersecurity protections in mind, how they test and monitor them for threats and vulnerabilities on an ongoing basis, and how they manage cyber risks.
An informational graphic distributed together with the questions to vendors describes DoD’s overall objective as reforming its existing RMF process into one that “reimagines” cyber risk management. Officials said they’re aiming toward a “culture, mindset and process” that moves more quickly, “more effectively assesses and conveys risk and is less burdensome to cyber and acquisition professionals while ultimately providing operational combatant commanders with an accurate understanding of cyber risk to mission.”
DoD’s notional construct in the RFI outlines security controls from RMF and the NIST Special Publication 800-53 under a slimmer approach with five phases: design, building, testing, onboarding and operations.
In remarks earlier this month, Katie Arrington, DoD’s acting chief information officer, said reworking the framework in that way would reduce redundancies that slow down the department’s cyber processes.
“Out of the NIST 800-53, I look at 40% of those requirements as security — non-negotiable. They are hard and true,” she said at an event hosted by the Intelligence and National Security Alliance. “I look at 20% of the NIST 800-53 as policy, and some are risk reduction capabilities. So if I’ve got 40% nailed down, there are redundancies. Why should a [cybersecurity service provider] be asking a question about physical security? Why should that be in their audit process? If it’s a cleared defense contractor, isn’t that the job of the Defense Counterintelligence and Security Agency? We have multiple redundancies in the RMF. We’re eliminating those.”
However, the department’s revised approach is likely to end up focusing on the way DoD implements RMF — not on a wholesale replacement of the framework itself.
Rob Vietmeyer, DoD’s chief software officer, told Federal News Network a reimagined process could also make heavy use of automation and inheritance to ensure appropriate security controls were being adopted and implemented on a continuous basis — not just at a single point in time when an authority to operate is granted.
“There are parts of the DevSecOps pipeline that enable us to inherit a significant portion of the needed controls,” he said during an interview on Federal News Network’s Cloud Exchange 2025. “And in the case of cloud providers, they’re accountable for maintaining a lot of the controls. As we build DoD platforms, we can have dedicated platform teams that are responsible for the cyber posture of that platform, and then the applications that we’re putting on top of that inherit all of that security, all of that secure operations, automatically. We have these gateways that are built into the pipeline that say, ‘This piece of software or this system has passed the appropriate security testing and controls,’ so that when it ends at the pipeline, it’s approved to deploy without additional paper-based, manual sorts of assessment processes.”
Though officials emphasized no final decisions have been made about exactly what changes will be made to the framework or DoD’s implementation, it’s essential that the process be reformed and made more agile, Vietmeyer said.
“Our implementation in the department today impedes innovation. It burdens our workforce. It’s really difficult to scale,” he said. “It’s kind of this archaic paper-driven, compliance-first type of approach that has a lot of overhead and is slow to adapt to the modern environment where the adversary is continually attacking with advanced persistent threats.” he said.
Vietmeyer noted that last year, about 40,000 [Common Vulnerabilities and Exposures] came up — a 38% increase from the previous year.
“These are things in your systems that need to be patched,” he said. “And if you’re not in a highly dynamic real-time cyber posture that can respond with that level of speed with update and patching and response actions, you’re going to fall behind. You’re going to be vulnerable to your adversaries.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
