Why did the federal government move from a compliance based accreditation and certification process to more of a risk based process; and what impact has that shown to cyber security in all three sectors; agency, defense, and intelligence?
Risk based accreditation could be considered the lesser of two evils. While no system can provide complete information safety and security, the federal government moved from compliance based accreditation to risk based accreditation as a practical method for saving money.
While compliance based accreditation and certification could provide a greater level of security, one must question the practical application, and consider the cost of the information one seeks to protect. By valuing the level of protection commensurate to the risk of it leaking, the information assuror can conserve valuable resources, for example: time.
This change in philosophy has shown great impact in the field of cyber security, especially in the fields of agency, defense, and intelligence, namely by saving them money, and allowing employees to spend more time doing their jobs, and less time looking over their shoulders in fear of a code violation.