FCW recently reported that the DOD has released its “Updated IT Management Guidance” – the Second Edition of the DOD Enterprise Service Management Framework. I believe the DOD is continuing to move forward and as reported, this second edition is based on “industry best practices,” and the FCW article goes on to say that a third edition is already underway. I see that as a very positive move (the continuing work in this area and the work on the third edition). While I am unsure how long this Second Edition was in development, after a quick review of the document, I have the following comments related to this document.
First, the FCW article states that “the framework will guide DOD CIO oversight of the department’s IT services. DESMF II’s scope goes beyond DISA-owned or adjudicated IT services to includes all such DOD assets.” My first point is while I applaud the efforts of the DESMF and the DISA ITSMO in the earlier version and this version, I hope that version III will provide more rich detail and possibly case study type examples of an application of the framework to a specific situation or organization.
This document is very long (169 pages) and provides very high level – strategic type of information. There is a lot of work to get from this framework down to an actual IT Enterprise Management implementation at a service or organizational level. While this document makes great progress in establishing DOD high level (strategic) guidance with the application of industry best practices, the inclusion of case studies or real world examples (at least some 1 page examples) at a service and organizational level would greatly help the implementers/users of this framework to better understand how this all applies to their organizational policies, procedures, and operations.
The authors do mention that the services and others contributed to the development of this document, and that there is more in-depth process specific guidance provided in supplemental companion documents located on the ITSM Community of Practice (CoP) and All Partners Access Network (APAN). I could not gain access to these documents, so hopefully these companion documents have additional rich detail for the implementers/users of this document.
Second, the discussion and reference to the NIST Risk Management Framework (Appendix E) and Service Risk Management (Appendix G) in this document needs additional work and tailoring to the DOD. While the NIST RFP and the Service Risk Management Appendix is informative, risk assessments – when completed — are only a “snapshot in time” or a picture of the operational situation at the moment the assessment was completed.
The framework laid out in this document appears to be highly manual (with “risk registers” and manual tracking processes). With the complexity of our IT systems today and the constantly changing nature of our IT networks, what would be more effective is a way to continually see the enterprise IT risk posture, to be aware of changes in key system and network configurations, and to understand how and why those changes are occurring and the impact to the security and risk of our enterprise IT systems.
Having this information in real time is the goal; as a minimum, we need to have an automated risk management system or tool that queries/checks the risk posture of the enterprise and its key elements/devices on a more frequent, automated fashion. Ad hoc, once a year or quarter type assessments are outdated and ineffective in managing the risks associated with the enterprise.
Finally, I commend the efforts that go into these types of high-level framework documents. They are the base level documents that form the foundation upon which organizations can build their enterprise IT implementations, policies, procedures and where they must operate within.
- James Holtzclaw is General Manager of Federal Programs for Waverley Labs, a leading independent digital risk management company. Holtzclaw oversees Waverley Labs services for digital risk management (DRM) solutions supporting the Federal Government – including the Intelligence Community (IC) and the Department of Defense (DoD).
