Pentagon CIO Says RMF, ATO Reforms Underway

War Department CIO Kirsten Davies said Tuesday that the department is overhauling its risk management framework and authorization to operate processes as part of a broader effort to accelerate cyber operations and move away from compliance-driven security reviews.

Speaking during the opening keynote at AFCEA TechNet Cyber in Baltimore, Davies said the reforms are intended to provide real-time visibility into threats and vulnerabilities through continuous monitoring rather than periodic compliance assessments.

“In the near term, we’re already moving out on overhauling the [risk management framework] and the ATO process,” Davies said. “To do this effectively, we must be able to provide real-time visibility into threats, vulnerabilities and control gaps through continuous monitoring, not check-the-box compliance checklists.”

Davies said the changes are part of a larger effort to modernize how the department approaches cybersecurity risk and technology adoption. The updated ATO process will place greater emphasis on reciprocity and the use of commercial technologies, she said.

“[DOW is updating the ATO process] with modern practices to make reciprocity a foundational tenant of the program and to incorporate commercial, off-the-shelf tools,” Davies said. “Compliance does not equal security. It did not when I was in industry, and it does not from my seat where I am today.”

The reforms build on the department’s Cybersecurity Risk Management Construct released last year. Davies said the department is moving toward a unified, risk-based cybersecurity model.

“We’re transforming the Department of War’s cybersecurity program into a unified, holistic and risk-driven function,” Davies said. “We must instill a bias for action, and I would argue, assume a level of compromise in a risk-prioritized way.”

Davies also previewed organizational changes within the Office of the CIO aimed at accelerating program execution and support for warfighters.

“We must move at the speed of innovation, and we must drive a bias for action,” Davies said. “In the coming months, you’ll see changes coming to the Office of the CIO, driven by a singular, unyielding focus operationalizing our programs to better serve the warfighters.”

Davies said industry will play a key role in supporting the department’s modernization efforts. She pointed to the department’s $9.7 billion Microsoft Enterprise Software Agreement II Core Enterprise Technology Agreement as an example of leveraging enterprise purchasing power to reduce technical debt and accelerate innovation.

She also highlighted workforce development as a critical component of the department’s cyber strategy, citing the Cyber Registered Apprenticeship Program as a pathway for recruiting and training future cyber defenders.

“There is no algorithm or AI agent that can replace a critically thinking, well-trained, and decisive cyber defender, and there is great competition for talent,” Davies said.