DoD Programs “Gear Up” for Transition to RMF

  1. NIST 3 Tier Model Illustrating RMF

By Lon J. Berman, CISSP
BAI Consulting

With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD is now official.

DoD programs big and small have gotten busy planning their strategies for transitioning from DIACAP to “RMF for DoD IT”. Let’s take a look at some of the efforts currently underway across the DoD landscape to “gear up” for RMF.

As you may know, the principles underlying RMF stem from a series of documents published by the National Institute of Standards and Technology (NIST). NIST utilizes a three-tier model to illustrate the risk management process in a large organization. DoD interprets the three-tier model as follows:

  • Tier 1:  DoD Enterprise
  • Tier 2: DoD Components
  • Tier 3: Information Systems

Beyond publication of DoDI 8510.01, what other activities are taking place at Tier 1 (DoD Enterprise) in support of the RMF transition?

  • RMF Knowledge Service. For the past couple of months, DoD has slowly been adding content to the Knowledge Service (KS) website, including security control information, guidance on the RMF process steps, etc. KS is available at the following URL: 
  • eMASS. DoD is in the process of enhancing the Enterprise Mission Assurance Support System (eMASS) to include the RMF workflow, NIST security controls, etc.
  • STIGs. DISA is in the process of revising many of the Security Technical Implementation Guides (STIGs) to include references to applicable NIST security controls.
  • Continuous Monitoring. DISA is in the process of developing CMRS, a Continuous Monitoring and Risk Scoring system that will assist DoD system owners in meeting RMF continuous monitoring requirements.

Tier 2 (DoD Components) are also busy planning for the transition to RMF.

  • Component-specific policies and guidance (e.g., Army, Air Force, Navy and Marine Corps security policies) are being revised to cover Assessment and Authorization (formerly Certification and Accreditation) in accordance with RMF.
  • Under the leadership of the component Security Control Assessor (SCA, formerly CA), assessment teams are being prepared to conduct independent testing of systems for compliance with the NIST security controls in accordance with RMF.
  • Authorizing Officials (AOs, formerly DAAs) are being re-trained as necessary.

And last, but by no means least, Information System Owners (Tier 3) are gearing up, too.

  • System Owners and their support staff are familiarizing themselves with DoD, CNSS and NIST publications that directly support RMF.
  • System Owners are beginning to plan for re-categorizing their systems (using CNSSI 1253 in place of MAC and CL) and developing appropriate security control baselines.
  • System Owners are arranging for their teams, both DoD employees and Contractors, to receive relevant training in RMF.

Be ready for busy times ahead!

If you would like to learn more about ITdojo’s RMF training courses, please visit the links below.