Top Ten—Ensuring a Smooth Transition to RMF

  1. Transition to RMF Training

By Lon J. Berman, CISSP
BAI Consulting

Now that DoD has “officially” begun its adoption of “RMF for DoD IT”, let’s take a look at some of the things your organization can do to ensure a smooth transition.

10. Publications. Organizations should ensure they are using the latest copies of relevant publications. This includes not only DoD issuances (DoDI 8500.01 and DoD 8510.01) but also CNSSI 1253 and NIST Special Publications such as NIST SP 800-37 and NIST SP 800-53. Organizations should also obtain access to the RMF Knowledge Service ( as a source of supplemental guidance.

9. Training. Organizations should ensure that their employees and contractors receive appropriate RMF training (

8. Categorization. Organizations should begin the task of re-categorizing their systems in accordance with CNSSI 1253. Three separate categorization levels (for Confidentiality, Integrity and Availability) will replace the DIACAP MAC and CL.

7. Security Control Baseline. Once each system is re-categorized, organizations should develop an appropriate security control baseline, using NIST SP 800-53, organization-defined parameters, and other tailoring guidance. Any relevant overlays (see below) should be included.

6. Overlays. Organizations should determine if there are any security control overlays relevant to their specific community of interest. If so, these should be incorporated into the security control baselines.

5. Security Plan. Organizations should begin drafting a Security Plan for each system.

4. Gap Analysis and Remediation. Once security control baselines and initial Security Plans have been established, organizations should conduct a self-assessment and identify any compliance gaps resulting from new or changed controls. Plans for addressing any identified compliance gaps should be developed. This is particularly important because additional funding or other resources may be required.

3. Continuous Monitoring Plan. Organizations should begin developing plans for continuous monitoring of security controls, in accordance with DoDI 8510.01 and NIST SP 800-137.

2. Assessment and Authorization. Organizations should coordinate with their specific DoD component to determine if there have been any changes to the process of arranging for independent assessment (validation) of security controls. Organizations should also coordinate with their specific DoD component to determine if there has been any change to the AO (formerly DAA) assigned to their systems.

1. ANTICIPATE CHANGE. Organizations should understand RMF is still very much a “work in progress” within DoD. Changes to policies and guidance are to be expected as the process rolls out. Relevant DoD and DoD Component websites and publication sites should be regularly monitored for updates. Regular visits to the RMF Knowledge Service (KS) are a good starting point. 

If you would like to learn more about ITdojo’s RMF training courses, please visit the links below.

Page 3