The U.S. Army is overhauling its cybersecurity policy with a new directive signed by Army Chief Information Officer (CIO) Leo Garciga last week that aims to streamline the service’s implementation of its Risk Management Framework (RMF).
The Army’s RMF 2.0, launched in April 2022, aimed to operationalize the risk management process by prioritizing threat-based controls, leveraging inheritance, and providing automation tools to reduce labor-intensive tasks and streamline assessments. The RMF also set the stage for systems to transition into Continuous Monitoring, an initiative that has been a key focus for the Pentagon.
However, despite the implementation of the RMF, “challenges remain with efficiency and addressing the continuous evolving intel-based threats posing real risks to the Army terrain,” the CIO’s memo reads.
According to the memo, the way forward is a “reset” of the Army’s approach to the RMF. Specifically, Additionally, the memo calls for an update in the Army’s approach to continuous monitoring and security controls.
“This memorandum removes the Army-wide deadline for systems to enter Continuous Monitoring … authorizing officials will work with System Owners to determine appropriate timelines to enter Continuous Monitoring,” the memo reads.
The memo also calls for a reset and reinforcement to support cyber hygiene across the Army’s Department of Defense Information Network (DoDIN-A).
“This is a necessary fundamental cultural shift to force shared understanding, acceptance, and risk taking,” the memo reads. Included in that list of “fundamental cultural changes” is the elimination of multiple control assessor to a singular control assessor and more “decentralized” decision-making on cyber risks.
“Capabilities are being delivered expeditiously to the Army through development, security, and operation pipelines and with a durable foundation, risk base decision making is decentralized and competitive with the pace of change,” the memo reads, emphasizing that this approach best leverages capabilities and protect the resources.
