RMF: Is It Effective?

By Kathryn Daily, CISSP, RDRP

In July 2017, SolarWinds conducted an online survey via Market Connections aimed at approximately 200 federal government IT decision makers and influencers in order to determine challenges faced by IT professionals to prevent security threats, quantify sources and types of IT threats, determine elements that aid successful management of risk, gauge sentiments regarding mandates and compliance and address the effect of net-work modernization on agency IT security challenges. 95% of respondents were federal, civilian or independent government agencies or DoD or Military Service with a wide range of involvement in decision making.

More than three fourths describe their agency’s ability to provide managers and auditors with evidence of appropriate IT controls as either excellent or good (27% excellent, 52% good). Not surprisingly, budget constraints top the list of significant obstacles. While foreign governments top the national news headlines, they are noted as only the second highest source of security threats (48%). The leading threat source is reported as care-less/untrained insiders (54%). Careless/untrained insiders increased from 48% in 2016 to 54% with foreign governments remaining static since last year.

A significantly greater proportion of respondents that rate their agency’s ability to provide managers with evidence of IT controls as fair/poor tend to indicate they have seen an increase in SPAM, external hacking and denial of service. A significantly greater proportion of respondents that rate their agencies ability to provide evidence of IT controls as excellent indicate that they have seen a decrease in most cyber security threats. This is an indication of the effectiveness of the Risk Management Framework. Over half of respondents indicated that while RMF posed more of a challenge, it also contributed to success.

NIST Cybersecurity Framework appears to be successful in promoting a dialog about managing risk, but opinions are split as to whether federal IT professionals fully understand the framework.

Over half of respondents state that federal agencies are more proactive than they were five years ago and that compliance has helped their agency improve its cybersecurity capabilities.

When it comes to compliance and risk management, 70% agree that being compliant does not necessarily mean being secure, 58% agree that risk management is too often treated as a compliance issue and security regulations and mandates lead to complacency since tasks are performed to ‘check a box’.

When compared to the commercial sec-tor, nearly half feel their agency’s security practices are on par with commercial companies and slightly over half indicate that their ability to provide managers with evidence of IT controls is more robust than those in the commercial sector.

I believe that the key takeaway from this data is that while most agree that compliance has helped their agency improve its cybersecurity capabilities, 70% believe that being compliant does not mean be-ing secure, and over half believe that regulations and mandates can lead to complacency as tasks are performed to check a box.

See the entire survey here: https://www.slideshare.net/SolarWinds/solarwinds-federal-cybersecurity-survey-2017-government-regulations-it-modernization-and-careless-insiders-undermine-federal-agencies-security-posture/1

If you are interested in learning more about our RMF for DoD IT training course, please click here.