The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the Department of Defense’s Risk Assessment Methodology (RAM) both provide mechanisms to assess overall risk in government agencies and military services.
RMF is well grounded in established procedure, classifying and categorizing information systems throughout organizations and assigning appropriate security controls to understand and manage risk in an ongoing manner.
RAM addresses risk, but focuses on a targeted threat or vulnerability in relation to affected systems. RAM is more emergent while RMF is more continuous and high-level. In today’s military cyber environments, where ongoing security maintenance is often surpassed by current operations — separating executives from the…
