DoD (Finally) Begins Transition to RMF

By Lon J. Berman, CISSP
BAI Consulting

The wait is over! RIP DIACAP!!

At long last, DoD has announced the start of transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies … including DoD, the intelligence community and all “civil” departments/agencies … into a “unified information security framework.”

Two key documents were signed and released by DoD Chief Information Officer Teresa Takai in March, 2014:

  • New DoD Instruction (DoDI) 8500.01, replacing DoD Directive (DoDD) 8500.1. The title has been changed from Information Assurance to Cybersecurity.
  • Revised DoD Instruction (DoDI) 8510.01; title changed from DIACAP to Risk Management Framework (RMF) for DoD Information Technology (IT).

So far, so good … but wait a minute! What about DoDI 8500.2? For those new to the process, that’s the document that contains all the “IA Controls” (security requirements) with which DoD systems are required to comply. Wouldn’t that also need to be revised to fit into the new process? Well, the short answer is there will be no revised DoDI 8500.2 — DoD has decided to simply rescind it.

So how exactly is DoD going to implement a brand new information security framework without specifying requirements? It’s easy—they’ve decided not to try and reinvent the wheel, but rather to leverage the extensive work of NIST, the National Institute of Standards and Technology, and CNSS, the Committee on National Security Systems.

A few of the key NIST and CNSS publications that are being “adopted” by DoD are:

  • NIST Special Publication (SP) 800-53, Revision 4. This document contains an extensive “catalog” of Security Controls (requirements).
  • NIST SP 800-37, Revision 1. This is the definitive Risk Management Framework document, describing the roles and responsibilities, life cycle process, etc.
  • CNSS Instruction (CNSSI) 1253. This publication describes the methodology that DoD will use for categorizing systems and selecting security controls.
  • NIST SP 800-53A Revision 2 . This document contains recommended assessment objectives and procedures for each of the Security Controls.

The change from DIACAP to RMF will eventually affect every DoD information system, including “DoD owned and operated” systems as well as processes and systems operated by industry partners on behalf of DoD. A phased approach is being adopted, such that every system will be fully transitioned in time for its next re-authorization (reaccreditation) date.

Now that the official publications are on the ground, there is plenty of work still to be done by DoD to support the transition. The Knowledge Service website is in the process of being updated with RMF information, including the all-important assessment procedures for evaluating compliance with each of the controls. Also on the horizon is a major overhaul of the eMass tool to support the RMF workflow, NIST security control set, etc.

ITdojo now has three courses to help with the transition if your organization has not already made it.  They are:

Risk Management Framework (RMF) for DoD IT Training

Risk Management Framework (RMF) for FISMA IT Training

Information Security Continuous Monitoring (ISCM) Training