Quantifying the Risk Management Framework

For the past thirty-five years the DOD/DON have worked diligently to address the exponentially increasing challenges that cyber security presents. While the current Risk Management Framework (RMF) approach improves upon its predecessors, it is once again in need of an overhaul. Derived from National Institute of Standards and Technology (NIST) and DOD directives, the DONs RMF process blindly inherited the ambiguity necessary for larger governing organizations, failing to tailor the RMF to specific Navy organizational needs and practices. The DON RMF is highly qualitative and lacks standardized definitions, measurements, metrics, and a risk assessment methodology. The qualitative approach of the current RMF is further complicated by the bias, heuristics, groupthink, inconsistency, overconfidence, and overestimation ensuing from subjective inputs manifested throughout the DON RMF. The DON RMF must have a more quantitative RMF consisting of standardized definitions, measurements, metrics, and better training to ensure risk is being measured and mitigated appropriately. These improvements would continuously provide feedback for process improvement, leading to increased cybersecurity and resiliency of naval networks.