Getting Off to a Good Start with Your RMF Transition

By Annette Leonard of BAI Information Security

“The beginning is the most important part of the work.” ― Plato, The Republic

Before rushing headlong into the RMF fray, DoD system owners should take the time to ensure they get off to a good start. Mistakes made at the beginning of the effort can be very costly to correct later in the life cycle.

Here, then, is our “Top Ten” list of things you should do to “hit the ground running” with your RMF transition effort.

10. Glossary.

RMF is replete with new or revised terminology and acronyms. Get yourself a copy of CNSSI 4009, the National Information Assurance Glossary. This will be an invaluable reference for those times when you run into an unfamiliar term or find yourself in a friendly “dispute” over something you encounter in a policy document or memo.

9. Document Library.

Start building a library of RMF reference documents. Remember, unlike previous DoD processes, RMF relies heavily on documents from sources outside DoD. Here is a good starting list for your library:

  • DoDI 8500.01, DoDI 8510.01
  • CNSSI 1253
  • NIST SP 800-37
  • NIST SP 800-53, NIST SP 800-53A.

8. Component Policies.

Check with your DoD Component (Air Force, Army, Marine Corps, Navy, etc.) cybersecurity office to see if there are any policies or instructions related to RMF. If so, add them to you document library.

7. Authorizing Official(s).

Make sure you know who will be signing the authorization (accreditation) for your system(s) under RMF. It may or may not be the same individual (DAA) who signed your DIACAP ATO.

6. RMF Knowledge Service.

Make sure you can access the RMF Knowledge Service (KS). This website is DoD’s “authoritative source” for all things RMF.

5. Automated Tool.

Make sure you have an account and can log into the automated tool that your component or command will be using to support RMF. In many cases, this will be the DoD enterprise tool eMASS.

4. System Boundaries and Inheritance.

Take the time to confirm your system boundaries and inheritance relationships with hosting providers, etc.

3. Information Content.

Make sure you understand the types of information stored and processed by your system(s) and who the information owners are. These individuals will be critical to the success of the system categorization effort.

2. Information Security Support.

Make sure you have an Information System Security Manager (ISSM) or Information System Security Officer (ISSO) on your team to provide support.

1. Training.

Make sure you and the other members of your team are trained, both in the RMF for DoD IT process itself, and in any automated tools (e.g., eMASS) you will be using to document your efforts.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.