The Augusta Group and 327 Solutions announce their education partnership

The Augusta Group
  • Home
  • Our Work
    • The Augusta Plan 1.0
    • The Augusta Plan 2.0
    • The Augusta Plan 3.0
    • Small Business Cyber
    • FISMA, OMB and the RMF
    • DoDi 5000.90, FISMA, SCRM
    • Is cyber insurable?
    • SEC cyber-risk proposal
    • Left of bang cyber
    • Board cyber education
  • Services
    • Cyber and Risk Advisory
    • Non-Executive Director
    • Training and Compliance
  • The Augusta Blog
  • Meet the team
  • Contact Us
  • More
    • Home
    • Our Work
      • The Augusta Plan 1.0
      • The Augusta Plan 2.0
      • The Augusta Plan 3.0
      • Small Business Cyber
      • FISMA, OMB and the RMF
      • DoDi 5000.90, FISMA, SCRM
      • Is cyber insurable?
      • SEC cyber-risk proposal
      • Left of bang cyber
      • Board cyber education
    • Services
      • Cyber and Risk Advisory
      • Non-Executive Director
      • Training and Compliance
    • The Augusta Blog
    • Meet the team
    • Contact Us
The Augusta Group
  • Home
  • Our Work
    • The Augusta Plan 1.0
    • The Augusta Plan 2.0
    • The Augusta Plan 3.0
    • Small Business Cyber
    • FISMA, OMB and the RMF
    • DoDi 5000.90, FISMA, SCRM
    • Is cyber insurable?
    • SEC cyber-risk proposal
    • Left of bang cyber
    • Board cyber education
  • Services
    • Cyber and Risk Advisory
    • Non-Executive Director
    • Training and Compliance
  • The Augusta Blog
  • Meet the team
  • Contact Us

US DoD Procurement and the application of FISMA and the RMF

The impact of DoDi 5000.90 on defence procurement

Risk management, SCRM, and cybersecurity has been developing across the Federal Government since the passing of the FISMA in 2002 and its update in 2014.  Alongside the DoD is undergoing significant cyber-risk transformation to achieve superiority against all adversaries in all warfighting domains, including cyberspace.  Formalizing FISMA and the RMF across the Army, Navy, and Air Force, requiring the services to adopt a risk-based approach under DoD 8510.01 to weapon system cybersecurity, risk management and acquisition under DoDi 5000.90.


In the authors' opinions, DoDI 5000.90 is the first acquisition document representing a bridging of FISMA, RMF, SCRM, and cybersecurity requirements setting out the risk management practices, oversight, and assurance requirements for cyber risk between the DoD to the DIB.  5000.90 provides consistent guidance for DAs and PMs to oversee cybersecurity, risk management processes and practices for every defense acquisition throughout the supply chain.  5000.90 sets out a risk-based classification structure for cybersecurity through risk tolerance levels.


The approach should benefit both the DoD and the DIB to manage cybersecurity and improve oversight and assurance based upon risk prioritization. Lower risk systems require fewer controls, less oversight, and assurance when compared to high-risk (low-risk tolerance) ones.  Given the existing constraints on resources, the complexity of multi-national agreements, and the impact on innovation, adopting the risk-based model put forth in 5000.90 represents an opportunity for prioritizing risk mitigation on critical systems.  Furthermore, alternative mechanisms such as SOC2 Audits to assure cyber compliance could be considered to reduce the impact on the majority of suppliers in the DIB.  

DoD procurement under DoDi 5000.90

DoDi 5000.90 defines the process for the adoption of the Risk Management Framework (RMF) under FISMA and its application to defence procurement and C-SCRM

Download PDF

Copyright © 2021 Augusta GRC, LLC - All Rights Reserved.

The Augusta Group

  • Home
  • Small Business Cyber
  • FISMA, OMB and the RMF
  • DoDi 5000.90, FISMA, SCRM
  • Is cyber insurable?
  • SEC cyber-risk proposal
  • Left of bang cyber
  • Board cyber education
  • Cyber and Risk Advisory
  • Non-Executive Director

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept