In a move aimed at streamlining cybersecurity practices within the Department of Defense (DoD), Chief Information Officer John Sherman announced the issuance of a new memorandum during his keynote address at the GEOINT Symposium. The memo, titled “Resolving Risk Management Framework and Cybersecurity Reciprocity Issues,” was authorized by Deputy Defense Secretary Kathleen Hicks and focuses on improving the efficiency of the authority to operate (ATO) processes that have been a point of contention among industry leaders.
The newly released guidance addresses the crucial need for “testing re-use and reciprocity” in risk management decisions across the DoD, emphasizing a more collaborative approach to cybersecurity. This initiative is expected to significantly reduce the costs and delays associated with the validation and operation of IT systems on defense networks by allowing federal entities to leverage prior assessments from both internal and external organizations.
Deputy Secretary Hicks’s directive mandates that any policy or implementation challenges related to the Risk Management Framework (RMF) should be escalated directly to Sherman and his office. This move is part of a broader effort to ensure that cybersecurity risks are managed more effectively and that technological capabilities are delivered to warfighters without unnecessary delay.
“DOD Components can request DOD CIO assistance in resolving reciprocity and other RMF policy, guidance, and technical issues by contacting the RMF Technical Advisory Group secretariat,” stated Hicks in the memorandum. This step is intended to centralize and expedite the resolution of any issues that arise in the implementation of these new procedures.
Sherman highlighted the importance of this initiative in his speech, acknowledging recent industry feedback about the cumbersome ATO process. “I saw on LinkedIn, as recently as this morning, some folks talking about this. And I want to let you all know: We’ve heard you loud and clear on this within the DOD. I’m not going to say this is going to solve every bit of it, but it’s going to help us a bit,” he explained to the audience.
The DoD’s commitment to refining its risk management and cybersecurity strategies is a clear response to the evolving needs of the defense sector, particularly in accelerating the deployment of innovative technologies that are critical to national security. This policy update is poised to foster greater agility and collaboration within the Department, ultimately enhancing the United States’ defense capabilities in the digital age.
Read the Memo at DoD here.
