Executing the RMF as an Engineering Discipline
Dr. Darren Death, ICIT Fellow, shares his perspective on using the Risk Management Framework (RMF) as intended, as an engineering framework that links security requirements to system behavior.
The RMF defines a complete model for continuous authorization and should be executed as part of engineering and operations, rather than as a separate compliance process.
The Risk Management Framework is intended to align engineering, operations, and governance with measurable control performance.
However, in practice, some agencies have adapted it into an administrative process focused on documentation rather than active demonstration of protection.
- The structure of RMF remains unchanged
- Its implementation has shifted toward treating each step as a documentation checkpoint rather than a technical validation
Author's summary: Use RMF as an engineering framework.