Risk management, SCRM, and cybersecurity have been developing across the Federal Government since the passing of the FISMA in 2002 and its update in 2014. Alongside the DoD is undergoing a significant cyber-risk transformation to achieve superiority against all adversaries in all warfighting domains, including cyberspace. Formalising FISMA and the RMF across the Army, Navy, and Air Force, requiring the services to adopt a risk-based approach under DoD 8510.01 to weapon system cybersecurity, risk management and acquisition under DoDi 5000.90.

DoDI 5000.90 is the first acquisition document representing a bridging of FISMA, RMF, SCRM, and cybersecurity requirements, setting out the risk management practices, oversight, and assurance requirements for cyber risk between the DoD and the DIB.  DoDi 5000.90 provides consistent guidance for DAs and PMs to oversee cybersecurity, risk management processes and practices for every defence acquisition throughout the supply chain. 5000.90 sets out a risk-based classification structure for cybersecurity through risk tolerance levels.

Adopting the risk-based model put forth in 5000.90 represents an opportunity for prioritising risk mitigation on critical systems. Furthermore, alternative mechanisms such as cyber Audits to ensure cyber compliance could be considered to reduce the impact on the majority of suppliers in the DIB.