In order to build an effective security program, the security controls outlined in SP 800-53 and other procedures must be critically followed. The Risk management framework is not just paperwork, it is a valid framework for determining, assessing, and continuously monitoring risk to an organization’s information. Although it may seem administrative, the organization and its management must commit to protecting the information and operations of the organization.
Not only is complying with the framework’s outlines important for the organization, but for many, it is also important for the defense of other connected organizations, individuals with information in the system, and the nation’s cyber defense as a whole. There are specific controls that require assessments to determine overall effectiveness, and the only way to reach compliance is by properly implementing the controls and continuously monitoring them. A foundational understanding of the risk that the organization faces is important for making risk-based decisions and protecting information systems nationally, and this is why compliance is important.
To put it into context, it is better to imagine a federal government without every federal agency complying with a framework such as RMF. If every organization was to manage their own risk, there would surely be abundant unchecked risk. With just one mistake or ‘leak’, a cyber attacker could breach into a federal agency’s information systems. Without a universal framework for federal agencies, this means that the same attacker could force their way into multiple systems from access to just one. The federal government would have limited ways to stop or manage this attack, because every federal agency would operate with its own unique risk management plan. There would be no way to understand on a broader level the risk that the nation faces without a universal framework.
Not only is RMF compliance important because it ensures risk is managed universally, but it is also important because RMF means that risk is being managed properly. RMF, even for private organizations, is one of the most effective risk management frameworks available, making compliance very important.
