The app for independent voices
DoW's "RMF 2.0" πͺ
This week, the Department of War (DoW) and the rolled out their long-awaited RMF overhaul, dubbed "Cyber Security Risk Management Construct"
It includes 10 core principles:
Automation β driving efficiency and scale
Critical Controls β identifying and tracking the controls that matter most to cybersecurity
Continuous Monitoring and ATO β enabling real-time situational awareness to achieve constant ATO posture
DevSecOps β supporting secure, agile development and deployment
Cyber Survivability β enabling operations in contested environments
Training β upskilling personnel to meet evolving challenges
Enterprise Services & Inheritance β reducing duplication and compliance burdens
Operationalization β ensuring stakeholders near real-time visibility of cybersecurity risk posture
Reciprocity β reuse assessments across systems
Cybersecurity Assessments β integrating threat-informed testing to validate security
If you're like me, you'll likely be relieved to see this announcement, not because it is groundbreaking per se, but because it is grounded in the same fundamental principles I and fellow practitioners have been advocating for when it comes to doing cybersecurity and GRC Engineering correctly.
This includes focusing on the controls that make the most impact and risk reduction, sound DevSecOps principles, a secure SDLC, automating traditional compliance assessment toil, and moving towards cyber resilience.
Hopefully, many others will be willing to adopt these principles as well to deliver improved outcomes for the warfighters and our nation πΊπΈ
