RMF Transition—What do I Really Need to Know?

By Lon J. Berman, CISSP

It’s hard to believe it’s been a whole year since the publication of DoD Instruction (DoDI) 8510.01 in March of 2014, which officially began the transition from the DIACAP process and IA Controls to the Risk Management Framework (RMF) and NIST Security Controls. While there are isolated pockets of progress to report, the fact is the major DoD components are just now beginning their transition in earnest.

DoD employees and contractors are now faced with the daunting tasks of adjusting to a new process and assessing their systems’ compliance with a completely new baseline of controls. Most have come to the realization that some type of training is essential to their success. But what sort of training do they need?

First priority should be training that is centered around the RMF for DoD IT process and security controls. This type of training should provide a thorough understanding of:

  • RMF Terminology
  • RMF Roles and responsibilities
  • RMF for DoD IT life cycle process
    • Categorize
    • Select
    • Implement
    • Assess
    • Authorize
    • Monitor
  • RMF for DoD IT documentation
    • Security Plan (SP)
    • Security Assessment Report (SAR)
    • Plan of Action and Milestones (POA&M)
  • NIST security controls and assessment procedures

OK, so I need to learn all about the RMF for DoD IT process and security controls. What about eMASS training? Won’t that do the trick? After all, isn’t eMASS the support tool that is becoming the “standard” across all (or nearly all) of DoD?

It is true that eMASS is the tool of choice for most DoD components. And, absolutely, learning how to “push the buttons” and operate eMASS is important. However, without a solid foundation in the RMF process and the NIST controls, eMASS training alone will not give you the understanding you need to tackle the job of getting your systems authorized in accordance with RMF. Ideally, you should walk into eMASS training with thorough knowledge of RMF for DoD IT. That’s the only way you’ll have the context within which to truly grasp what eMASS can do for your organization.

But wait. Doesn’t eMASS training already include instruction in the RMF process and security controls? Generally speaking, the answer is NO … or, if any process training is included at all, it’s absolutely minimal.

The best approach is to get yourself thoroughly trained in RMF for DoD IT, and then get some eMASS training.

That makes sense. Now, I see numerous sources to get RMF training. How do I know which ones are best? Well, a good start is to make sure they are offering “RMF for DoD IT” training, and not just generic “RMF” training. There are very significant differences.

Also, make sure the training vendors you are considering are teaching the entire class from the “DoD perspective”, which should include:

  • DoD policies
  • Similarities and differences between DIACAP and RMF
  • DIACAP-to-RMF transition guidance

Some training providers claim they teach a single RMF course that meets the needs of DoD as well as other departments and agencies. Don’t believe them. Lastly, consider the provider’s overall training approach. Vendors whose primary mission is to prepare students for certification tests may not offer practical guidance, case studies and class exercises appropriate to students who will need to put their training into practice in the “real world” of DoD IT.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.

Posted in: