Deputy Defense Secretary Kathleen Hicks is making changes to the Pentagon’s authority to operate (ATO) process, which many industry officials have argued hinders rapid technology and software innovation.
The May 2 memo from Hicks entitled “Resolving Risk Management Framework (RMF) and Cybersecurity Reciprocity Issues” directs Department of Defense (DoD) authorizing officials to reuse risk management assessments from other DoD components to accelerate the ATO process – unless cybersecurity was a concern.
Hicks explained in the memo that she “expect[s] testing re-use and reciprocity to be implemented [by DoD authorizing officials] except when the cybersecurity risk is too great.”
But if authorizing officials and chief information officers (CIO) from DoD components cannot reach an agreement on leveraging re-use and reciprocity, Hicks “directs both parties to engage directly with the DoD CIO to resolve the impasse.”
The memo aims to resolve ongoing complaints from industry over risk management and cybersecurity reciprocity challenges. Reciprocity would enable defense agencies to reuse risk management assessments and share information among themselves to reduce costs and time associated with the ATO process for approving IT systems to operate on the information networks.
“We must accelerate and streamline the delivery of capabilities to the warfighter,” Hicks wrote. “Maintaining our cybersecurity standards and leveraging reciprocity between system owners and authorizing officials is critical to this objective. Accordingly, the DoD must adopt a risk informed and mission-aligned culture of collaboration in cybersecurity testing and reciprocity.”
The memo also mandates that Pentagon components elevate any associated policy and implementation issues straight to the DoD CIO and his team.
“DoD Components can request DoD CIO assistance in resolving reciprocity and other RMF policy, guidance, and technical issues by contacting the RMF Technical Advisory Group secretariat, within DoD CIO,” Hicks wrote in the guidance.
Hicks also is directing the DoD CIO to report to her office “the assistance requested, and the measures taken to help resolve each issue on a monthly basis.”
DoD CIO John Sherman spoke briefly about the one-page memo during his keynote speech at the annual GEOINT Symposium on May 8.
“The security environment has evolved over the years,” Sherman said, adding that in response of that change “we’re constantly evolving in DoD CIO.”
“We’ve heard you loud and clear on this within the DoD. I’m not going to say this is going to solve every bit of it, but it’s going to help us a bit,” he added.