By Philip D. Schall, Ph.D., CISSP, RDRP
About four or five years ago, I had a meeting with an Army organization on the topic of providing RMF training targeted specifically at Authorizing Officials (AO’s). My memory is a bit hazy, but as I recall, after two or three meetings we had outlined what would be necessary in providing a half day of RMF training targeting AO’s as the primary audience. At the time, I was very enthused at the opportunity to fix what I call “The AO Problem”. Unfortunately, the discussions I had did not come to any meaningful result and an RMF eLearning course was published shortly thereafter internal to Army. Upon hearing this, I was a bit upset, but I hoped that the meetings and suggestions I made could hopefully help Army in the future.
Flashing forward to today, I recently attended TechNet Augusta. During this conference, I kept hearing chatter of Army shifting to a single AO. Although I do not know the full details of this, I can confirm that one of the single biggest problems I hear from RMF students and practitioners is AO’s not fully understanding the RMF process. We also see this as RMF consultants where different AO’s take entirely alternative approaches to evaluating a package and granting an ATO. Although my major concern with a single AO would be inability to have a full understanding of all systems being authorized, I certainly would prefer to have a handful of AO’s with a strong RMF knowledge base than the alternative.
A relatively new development to Army in parallel with RMF 2.0 is called the Army Risk Management Council (ARMC). For those who are unfamiliar with RMF 2.0 (not to be confused with the NIST, Ron Ross RMF 2.0 initiative), RMF 2.0 is an Army initiative with goals of increasing control inheritance and making the RMF process more agile and compact. I first heard about ARMC from Nancy Kreidler, former Director of Cybersecurity at CIO/G6 and Lt. Gen John Morrison, the Army’s deputy chief of staff, G-6 during a keynote at AFCEA TechNet Cyber. During this keynote ARMC was proposed to have goals of deconflicting positions between AO’s and taking pressure off AO’s who are often making these high-risk decisions alone in a vacuum. The last I heard ARMC was chaired by Army G-3 and was supposed to be fully staffed in May 2022. The goal of ARMC is create a network of AO’s and more communication regarding systems and how they interact on the network.
Overall, as you can tell by the topics referenced above, Army recognizes they have an AO problem, and I applaud all involved who are continuously working towards making the RMF process more efficient and effective. At BAI, we fully embrace and support RMF efficiency if proposed RMF initiatives are not suggesting shortcuts that result in weakening and watering down the RMF process. I look forward to updating our readers as I get more information on ARMC and this ongoing AO conundrum.