Spotlight: Transitioning to the Risk Management Framework (RMF)

  1. Transitioning to the Risk Management Framework

With the publication of revised DoD Instruction 8510.01, adoption of the Risk Management Framework (RMF) by DoD has begun.  DoD programs are busy planning and implementing strategies for transitioning from DIACAP to “RMF for DoD IT”.

What Efforts are Taking Place in Support of the RMF Transition?

Tier 1: DoD Enterprise

RMF Knowledge Service – DoD continues to add content, including security control information and guidance on the RMF process steps.

eMASS  – DoD continues to enhance the Enterprise Mission Assurance Support System (eMASS) to include RMF workflow, NIST security controls, etc.

STIGs DISA is revising many of the Security Technical Implementation Guides (STIGs) to include references to applicable NIST security controls.

Continuous Monitoring DISA is in the process of developing CMRS, a Continuous Monitoring and Risk Scoring system that will assist DoD system owners in meeting RMF continuous monitoring requirements.

Tier 2: DoD Components

Component-specific policies and guidance (e.g., Army, Air Force, Navy and Marine Corps security policiy revisions) are being revised to cover Assessment and Authorization (formerly Certification and Authorization) in accordance with RMF.

Security Control Assessor (formerly CA) assessment teams are preparing to conduct independent testing of systems for NIST compliance.

Authorizing Officials (AOs, formerly DAAs) are being re-trained.

Tier 3: Information Systems

System Owners and support staff  are getting familiar with DoD, CNSS and NIST publications that directly support RMF.

System Owners are beginning to plan for re-categorizing their systems (using CNSSI 1253 in place of MAC and CL) and developing appropriate security control baselines.  They are also arranging for their teams, both DoD employees and contractors, to receive relevant RMF training.

If you are interested in taking a look at the RMF courses that IT Dojo has to offer, please check out our Risk Management Framework Training page.