Risk Management
In the past, the practice of risk management in cybersecurity has been either ignored or completely left up to each corporation or Government agency to make their own policies and practices. President Obama issued Executive Order (E.O.) 13636 Improving Critical Infrastructure Cybersecurity in 2013 to create the first applicable cybersecurity legislation in the U.S. and establish a foundation for policy creation (Mustard, 2014).
Executive Order 13636 also directed the National Institute of Standards and Technology (NIST) to create a framework for risk management that USG cybersecurity organizations will follow. The NIST cybersecurity Risk Management Framework (RMF) borrows many of the characteristics of software-intensive production and completes the gap between quality management and operations that are done at the executive and business process levels. It also links strategic planning, quality management, and the ISO 31000 standardization for risk management (Radziwill and Benton, 2017). According to Davis (2018):
The RMF provides a standardized process and a common control set with which cybersecurity and risk management activities can be integrated into system developmental life cycles across all federal agencies. This requires system and program managers to consider “baked-in” security in the development phase of the system life cycle. (p. 11)