Nevertheless, cybersecurity is gaining a lot of attention and becoming much more important than before. Not only there is increase funding for cybersecurity research from the government agencies, there is also significant funding in cybersecurity from government programs. The program that I was working on before (BACN and contract with the air force) has enough budget to hire at least 10 to 15 cybersecurity …show more content…
This framework is a paradigm shift from the old C&A process and it calls for a holistic approach on security. It includes the governance aspect (policy and procedure) of risk management, as well as risk management throughout the life cycle of the information system such as acquisition, supply chains, and maintenance, etc. It is not the old way of checklist mentality, only fulfilling requirements. It is much more complex. For example, we are supposed to have a continuous monitoring plan and continuous monitoring the effectiveness of the security measures/controls applied on the information system (every year or six months) even beyond the ATO. RMF also has its own schedule and I have seen it spans about 270 days. It has its own scheduling and staffing