US DoD Procurement and the application of FISMA and the RMF

Risk management, SCRM, and cybersecurity has been developing across the Federal Government since the passing of the FISMA in 2002 and its update in 2014.  Alongside the DoD is undergoing significant cyber-risk transformation to achieve superiority against all adversaries in all warfighting domains, including cyberspace.  Formalizing FISMA and the RMF across the Army, Navy, and Air Force, requiring the services to adopt a risk-based approach under DoD 8510.01 to weapon system cybersecurity, risk management and acquisition under DoDi 5000.90.

In the authors' opinions, DoDI 5000.90 is the first acquisition document representing a bridging of FISMA, RMF, SCRM, and cybersecurity requirements setting out the risk management practices, oversight, and assurance requirements for cyber risk between the DoD to the DIB.  5000.90 provides consistent guidance for DAs and PMs to oversee cybersecurity, risk management processes and practices for every defense acquisition throughout the supply chain.  5000.90 sets out a risk-based classification structure for cybersecurity through risk tolerance levels.

The approach should benefit both the DoD and the DIB to manage cybersecurity and improve oversight and assurance based upon risk prioritization. Lower risk systems require fewer controls, less oversight, and assurance when compared to high-risk (low-risk tolerance) ones.  Given the existing constraints on resources, the complexity of multi-national agreements, and the impact on innovation, adopting the risk-based model put forth in 5000.90 represents an opportunity for prioritizing risk mitigation on critical systems.  Furthermore, alternative mechanisms such as SOC2 Audits to assure cyber compliance could be considered to reduce the impact on the majority of suppliers in the DIB.