In an ever-evolving landscape of cybersecurity threats, the National Institute of Standards and Technology (NIST) implemented a systematic method to protect its information systems known as the Risk Management Framework (RMF). More than just a set of rules, RMF stands as a fundamental element of the DoD’s cybersecurity strategy, playing a crucial role in advancing both national cybersecurity objectives and defense priorities.

Unfortunately, the RMF accreditation and authorization process for defense contractors and integrators has historically encountered challenges and delays due to several factors, thereby impacting the speed of deployment for critical defense technologies.

In this whitepaper, we will explore several of the main reasons organizations stall while completing the RMF process to achieve the Authority to Operate (ATO), as well as ways to mitigate these factors.


Turnover represents the most significant risk to the seamless development of an RMF package to achieve an ATO, as it often causes lengthy delays or halts the project altogether. While turnover is often unavoidable in organizational dynamics, the loss of project-specific knowledge, expertise, and information poses formidable challenges. Turnover can initiate a ripple effect, particularly evident when key personnel such as the Information System Security Manager (ISSM) departs, leading to a succession of roles within the RMF project team, often with the FSO or ISSO being tapped to lead the RMF project. This dynamic is not confined to technical personnel, but extends to executive leadership as well, where shifts in senior management can introduce competing security strategies. Ultimately, turnover often results in a regression to the initial stages of the RMF process.

To help mitigate the negative impacts of information loss when an employee departs, a company can implement several strategies:

  • Knowledge Transfer: Encourage departing employees to document their processes, procedures, and institutional knowledge before leaving. This documentation can serve as a valuable resource for their successors and other team members.
  • Cross-Training: Foster a culture of cross-training where employees are trained in multiple roles or responsibilities. This ensures that there are backup resources familiar with critical tasks in case of employee turnover.
  • Succession Planning: Develop and maintain a succession plan that identifies potential successors for key positions within the organization. This allows for a smoother transition when employees leave and ensures continuity of operations.
  • Documentation and Standardization: Establish clear documentation standards and protocols. This includes documenting workflows, procedures, and best practices to minimize the impact of information loss.

By implementing these strategies, a company can reduce the ill effects of information loss when a current employee leaves and promote organizational resilience and continuity.

Scope Creep/Project Redefinition

Scope creep occurs when the parameters of the project are changed, regardless of the entity responsible for initiating the change. Scope creep can lead to organizational challenges, as increased demands often require a redistribution of workload, potentially overwhelming team members. Scope creep can also lead to rework, as documentation may need to be rewritten depending on the scope changes.

To reduce the risks associated with scope creep, it is important to establish and adhere to a clearly defined network design or authorization boundary. A comprehensive and visually accessible boundary diagram outlining the logical and physical aspects of the network infrastructure can serve as a valuable communication tool, ensuring alignment among stakeholders and facilitating informed decision-making. If you do not have a clearly defined logical and actual diagram of the boundary, work to develop one as soon as possible, as it will significantly improve project clarity and efficiency.  This is a vital part of the Preparation phase of the RMF process.


A closely associated issue to scope creep is indecision or overthinking. There comes a point where clear delineation is necessary, and outcomes must be accepted as they stand.  As the project progresses, there may be new findings to address, such as items detected during scans or anomalies that may require further elaboration, often necessitating onsite investigation. Depending on the finding, it may be necessary to assess the risk and determine the severity. If the risk is very low, then deciding to accept it and explain it to the approval authority in the form of a POA&M (Plan of Action and Milestones) is generally acceptable.  Decision made!

Delay in Hardware/Software Procurement

Organizations are often delayed in starting the RMF process due to a lack of equipment or software. Procurement delays result in stagnation and frustration. Hardware and software must be ordered ahead of time, and with plenty of lead time, from the date an organization plans to begin developing their RMF package.

Organizations should work backward from the need-by date, allowing adequate time for equipment ordering, hardening, documentation development, training, and SCA/AO review. SecureStrux’s process of developing and submitting an RMF package for ATO consideration for a single stand-alone system can be accomplished in as little as 8 weeks if everything is in place and the staff is trained. An isolated network can be accomplished in as little as 12 weeks, depending on the complexity of the environment. Once the RMF package is submitted, the package must be reviewed by the SCA, which can take 90 days or more, plus some time for the AO review and approval for the ultimate ATO.

Lack of Training

A new ISSM who has not completed the required training can also pose a challenge to seamless RMF package creation and submission. Training for the ISSM position is absolutely necessary, as well as any supplementary or ancillary training. Ideally, this should be completed when the ISSM is appointed. However, we know this can be challenging when a contract is awarded on short notice. In these situations, the training should ideally be finalized or actively underway by the RMF project’s initiation, with an anticipated completion prior to the submission of the RMF package to the SCA for review. Documentation confirming the completion of position-specific training and other relevant training modules must be included in the submission packet, as it is a mandatory requirement for ATO consideration.

How SecureStrux Can Help

At SecureStrux, our DoD Risk Management Framework (RMF) service streamlines processes for our clients, providing tailored solutions at every stage. Our consultants help from the very early preparation phase with documenting your cybersecurity posture, and thorough security control implementation, testing, and remediation support, until you achieve your Authorization to Operate (ATO). We even offer continuous monitoring support post-ATO.

SecureStrux leverages a wealth of expertise from subject matter experts who have “been there done that.” We have encountered all of the ATO-inhibitors above and help our clients navigate those issues so they can more quickly and easily obtain their ATO.



As a cybersecurity firm with deep roots in the Department of Defense (DoD) cybersecurity community, we provide specialized services in the areas of compliance, vulnerability management, cybersecurity strategies, and engineering solutions. Since 2013, we’ve partnered with hundreds of organizations within and outside the DoD to understand and proactively manage their risk. Our strength within the DoD has allowed us to easily translate best practices to our clients in other industries including Energy, Manufacturing, Architecture, Education, and Aerospace.