Chris Hoover

What Does Federal IT Risk Mean Right Now?

Blog Post created by Chris Hoover Employee on Apr 2, 2015

Gartner just released their IT Risk Management Magic Quadrant results. RSA is at the front, as usual, but when I saw the results I was immediately struck by a question: How closely do Gartner’s and the federal community’s visions of IT Risk Management align? There has been discussion around redefining these categories and some have been broken out into new MQs. So, for my federal security professional colleagues, I just wanted to run through Gartner’s definition of ITRM and compare them to current federal thinking and initiatives.



When Gartner is evaluating tools against the topic or domain of IT Risk Management their site says they focus on “software products that support the ITRM discipline through automating common workflows and requirements”. Automation is key theme. The increased complexity and acceleration in the speed of the IT threat world requires automation these days. Automation is mentioned several other times on the ITRM page, including: “It is important to note that these products automate good, existing processes. Organizations should seek automation when they have sufficient maturity to take advantage of its benefits.”


This fits in very well with current federal emphasis on continuous monitoring (both manual and automated). The federal community is now fairly mature at the FISMA/OMB compliance paradigm and C&A/A&A. Logically, continuous monitoring is one of the areas where automation can help enhance the process. This emphasis can be seen in many new releases in the last year. OMB Memos 14-3 and 15-1 have touched on this topic in the last 18 months. FedRAMP updated its continuous monitoring guidance last summer. The NIST 800-53A Rev4 that just came out is MUCH more granular than previous revisions. This provides more granular reporting, but good luck trying to implement it without some automation.


Gartner’s definition of “IT risk management" is based on customer feedback, funneled through a working group of analysts. It is comprised of the following components:

Policy Management

      • Authoring, change management and version control
      • Development and approval workflow
      • Mapping policy statements into regulatory requirements

Compliance Mapping/Reporting – the ability to link the appropriate controls, assets, and assessment results and reports

Security Operations Analysis and Reporting

      • Ability to leverage diverse scanner and sensor data
      • Turn security metrics into actionable, meaningful reports and dashboards
      • Defect remediation workflow

IT Risk Assessment –providing a risk assessment workflow, and linkage between assets, risk assessments, context, and metrics.

Incident Management – manage, remediate, and report on incidents


It’s not hard to see that these very closely align with the current concerns in the federal community. Continuous monitoring or what DHS calls Continuous Diagnostics and Mitigation for its CDM Dashboard, addresses many of these pieces, as do NIST RMF and CNSSI 1253. The point I wanted to make is that Gartner has many MQs, and RSA has done well in all of them, as you can see here, here, and here. The ITRM MQ is, I would argue, the most applicable to the largest portion and intent of federal cybersecurity efforts and in this MQ, RSA is not just in the Leader’s quadrant, but at the leading edge.


Thanks for reading.

Email me with comments and questions.