Risk management, whether it follows a specific format or is independently done, is necessary to operating any business within the modern cyber world. RMF, however, is necessary for federal agencies because of the constantly increasing cyber risk to the United States and its citizens, and a need for a universal format to follow.
The risk that the nation faces from threats to federal information is of the utmost importance in an increasingly dangerous cyber environment. The cyber world has become a new frontline for the United States’s geopolitical enemies, and Russia specifically has taken advantage of this new overseas opportunity. According to the Cybersecurity and Infrastructure Security Agency (CISA), “…Russia will remain a top cyber threat as it refines and employs its espionage, influence, and attack capabilities”. The CISA states that “prioritizing patching of known vulnerabilities is key”, and this is exactly what RMF was developed to do. It identifies possible risks (or vulnerabilities), and it creates a format to implement security controls that mitigate those risks.
Not only is RMF important for defense of the United States control systems and critical infrastructure, but it is also important for the protection of personally identifiable information. Every citizen of the United States has personal information stored in multiple information systems within federal organizations. Without a proper format for following risk management, this personally identifiable information is at total risk.
The risk management framework is necessary because it outlines a format for organizations to evaluate and continuously re-assess and monitor their risk. Being able to identify and defend against current or future threats is essential when public or private organizations must stay well protected in an ever-changing cyber security environment.
