How should risk to mission be considered in RMF decisions?

Risk to the mission is the central consideration in RMF decisions. Security controls aren’t evaluated in isolation; their value comes from how well they protect the mission-critical functions and the system’s role in those functions. When a control enhances availability, integrity, or confidentiality for a mission-critical operation, it reduces the residual risk to the mission and should be prioritized, especially for systems essential to success. This puts security efforts where they matter most for mission outcomes, not just on compliance or budget concerns. Focusing only on budget or regulatory alignment misses the point that some systems are more critical to the mission than others, and ignoring the mission context can leave vital operations vulnerable.