Pentagon to roll out ‘new RMF’ by end of November
DoD will release the “10 commandments” of the new Risk Management Framework in the coming weeks, with the new policy set for release by Nov. 30.
The Pentagon will soon issue more details on its much-hyped effort to “blow up” the Risk Management Framework used to accredit software.
Katie Arrington, who is performing the duties of the Defense Department chief information officer, said DoD will unveil the “10 commandments” of the “new RMF” in the next couple of weeks. DoD’s work to revamp how it accredits software has been a top discussion point in federal technology circles in recent months.
“It’s the 10 tenants of the new RMF,” Arrington said at the Billington Cyber Summit on Thursday.
The tenants will include “continuous monitoring; re-looking at what a [cybersecurity service provider’s] definition and training and education is; and using continuous [authority to operate],” Arrington added. “Not waiting for that two-year valley of death that we go through.”
By Nov. 30, Arrington said the department will release a revamped DoD instruction on cybersecurity. The current instruction, DoDi 8500, was last updated in 2019. It set out the risk management policies that DoD organizations use to evaluate and manage software security risks.
“And we get on with things, and we start making some money and making some technology happen and making people actually have a chance to survive,” Arrington said.
Arrington kicked off the process to overhaul the RMF in April under the Software Fast Track (SWFT) initiative.
The goal is to speed up the acquisition of secure software. For years, DoD officials have lamented that the RMF is too static and arduous of a process. The military services and defense agencies in recent years have moved to instead embrace the continuous ATO process.
Arrington said DoD has had two pilots successfully go through the SWFT initiative.
Meanwhile, DoD is also working on a new concept called “mission network as-a-service,” Arrington said.
The goal is to collapse disparate mission networks across combatant commands into secret-level environments built on commercial cloud, Arrington said. The environment will include identity, credential and access management, or ICAM, capabilities along with “appropriate data label and data tagging,” she said.
“So that what happens is I can run on an [impact level two] environment, and the data as it goes up and traverses into my secret fabric, it’s only the particular pieces of data that I need that actually make it secret,” she said. “But when I micro segment up into another level and I bring in other data parts, it becomes top secret.”
The new cybersecurity initiatives comes as yet another key Arrington initiative, the Cybersecurity Maturity Model Certification program, is set to officially go into effect on Nov. 10. The CMMC program has been years in the making.
“She was seven years in gestation, and she finally was born,” Arrington joked at Billington. “She’s beautiful.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
