By Philip D. Schall, Ph.D., CISSP, RDRP
For those who missed my last article titled The Authorizing Official (AO) Problem & The Army Risk Management Council (ARMC), I will provide a quick summary to bring readers up to speed. It has always been my perception that a big part of the “RMF problem” is that Authorizing Official’s (AO’s) often do not fully understand the RMF process which leads to frustration. The Army has proposed/is shifting to a single centralized AO process which from my understanding would work in conjunction with a new group called the Army Risk Management Council (ARMC). Goals of ARMC are to deconflict positions between AO’s and take pressure off AO’s making risk decisions in a vacuum.
The last update I can find indicates ARMC was to be fully staffed by May 2022. During AFCEA Fort Belvoir Industry Days on 7-9 November, I had conversations with many Army RMF practitioners, and no one was aware of any updates on ARMC. This appears to be a trend I have seen over the last few years with these initiatives being introduced in keynote speeches at major events and then followed by very slow rollouts.
In general, those I spoke with at AFCEA Belvoir had no idea about ARMC. Most had heard talk of a shift to a single AO, but not much else. This ARMC query usually resulted in the typical RMF doesn’t work conversation which led to statements like “RMF is just DIACAP on steroids” or “RMF is a check the box process and a waste of time” or my personal favorite “We just need to automate RMF”, but a handful of people had a single very strong and, in my opinion, very valid concern about ARMC. As an aside, it is my position that the negative statements above derive from an improper understanding of RMF application, and these negative comments are perpetuated by those with limited RMF education who do not understand the spirit of RMF.
The primary concern about a single centralized AO and ARMC is that they will not understand all the mission elements of RMF packages in the entire Army. I applaud Army leadership for consistently striving to improve and make RMF more efficient, but I believe the mission concern above is very relevant. I am sure many RMF practitioners would read this and then think about the intricacies and relationships that their current system incorporates and feel uneasy with the idea that a centralized RMF council (who may be even more out of touch than their current AO) would be making their ATO decision. Again, I have no updates on ARMC, so I cannot verify if proposed solutions to the crux referenced above are being worked out, but in publishing these articles we attempt to create discussion around RMF policies and initiatives.
If you have updates or thoughts on ARMC, I would love to hear them, please email me devon@rmf.org or drrmf@rmf.org.