Army’s new cyber risk management plan ‘significantly changes’ approach to bureaucracy

By Briana Reilly / April 26, 2022 at 5:07 PM

BALTIMORE, MD -- Though the Army is still in the early stages of implementing its new approach to cyber risk management, the service’s deputy chief of staff (G-6) said today the effort “significantly changes” how officials will confront the bureaucratic components of the process.

Lt. General John Morrison told an audience at the TechNet Cyber conference here the Risk Management Framework 2.0, published earlier this year, seeks to ensure those involved can “spend the vast majority of our time” focusing on the cybersecurity of operations, systems and networks, rather than waiting for authority to operate.

As part of the overhaul, which the Army has referred to previously as Project Sentinel, the framework realigns the service’s posture toward the authorizing officials who provide operational oversight, while creating an Army Risk Management Council to allow for service-level, threat-informed cyberspace risk decisions.

“If you pull the string, it’s not that we’re just blowing off bureaucracy; we are doing the right level of bureaucracy we need to do the initial assessment of risk . . . and then when we identify risk, because intelligence is absolutely critical here, we now have a mechanism to adjudicate that risk at the Army level that will help us move forward much more rapidly than we have in the past,” Morrison explained.

That council, Morrison said, is currently in final staffing, and officials anticipate it will be approved “in the next month or so.”

The panel will be headed by the G3 and chief information officer, he said. The G6 -- which up until nearly two years ago was part of a combined office with the CIO -- will occupy what Morrison called a “gatekeeper” role “to make sure the appropriate issues go” before the body to strike a balance between technical and operational risk.

Among the council’s “key stakeholders” are authorizing officials, system owners, and the Army’s acquisition executive, according to slides Nancy Kreidler, the director of cybersecurity and information assurance for the Army’s chief information officer (G-6), presented on the framework during a DC summit last week. The slides also note the Army’s principal cyber advisor will serve in an independent advising role to the body.