Risk management, SCRM, and cybersecurity has been developing across the Federal Government since the passing of the FISMA in 2002 and its update in 2014. Alongside the DoD is undergoing significant cyber-risk transformation to achieve superiority against all adversaries in all warfighting domains, including cyberspace. Formalizing FISMA and the RMF across the Army, Navy, and Air Force, requiring the services to adopt a risk-based approach under DoD 8510.01 to weapon system cybersecurity, risk management and acquisition under DoDi 5000.90.
In the authors’ opinions, DoDI 5000.90 is the first acquisition document representing a bridging of FISMA, RMF, SCRM, and cybersecurity requirements setting out the risk management practices, oversight, and assurance requirements for cyber risk between the DoD to the DIB. 5000.90 provides consistent guidance for DAs and PMs to oversee cybersecurity, risk management processes and practices for every defense acquisition throughout the supply chain. 5000.90 sets out a risk-based classification structure for cybersecurity through risk tolerance levels.