Top Ten—Sources of RMF Policy and Guidance

  1. Top 10 Sources for RMF Policy and Guidance

By Annette Leonard of BAI, Inc.

RMF-related policies and guidance come from a plethora of sources within the seemingly-convoluted federal landscape. We believe a good understanding of these sources will be helpful as you move forward in your RMF implementation. Here, then is our “Top Ten” list of RMF policy and guidance providers.

10. US Congress. The Federal Information Security Management Act, or FISMA, was passed by Congress in 2002. FISMA mandates each federal department and agency to establish and maintain an information security program that includes things such as: periodic assessments of risk and annual reporting of security status. Much of the government’s information security activity can be directly or indirectly traced to the provisions of FISMA.

9. Office of Management and Budget (OMB). OMB, an arm of the White House, is specifically tasked to be the implementer/enforcer of FISMA and the developer of supporting mandates, such as OMB A-130. OMB A-130 calls for explicit information security approval of systems prior to implementation and is the basis of the traditional “Certification and Accreditation” (C&A) programs that exist throughout the federal landscape.

8. National Institute of Standards and Technology (NIST) – Federal Information Processing Standard (FIPS) Publications. NIST is specifically tasked by FISMA to be the developer of implementation guidance. Certain NIST publications are considered federal mandates. Two in particular, FIPS 199 and FIPS 200, are connected to RMF.

7. National Institute of Standards and Technology (NIST) – Special Publications (SP). These NIST publications are considered as non-mandatory guidance, but are available for adoption by the various departments and agencies as part of their (mandatory) security policies. Key RMF-related publications include NIST SP 800-37 (RMF life cycle), NIST SP 800-53 (“catalog” of security controls), and NIST SP 800-53A(assessment methods).

6. Joint Task Force Transformation Initiative (JTFTI). This group includes representatives from DoD, civil departments/agencies, and the intelligence community, and is chartered to develop a “unified information security framework” (i.e., RMF). JTFTI is co-author of the key RMF-related publications from NIST.

5. Committee on National Security Systems (CNSS). This organization is chartered specifically to address the unique information security requirements of systems designated as National Security Systems (NSS). These are systems that process classified or intelligence information, and/or support military operations. The key RMF-related publication is CNSS Instruction (CNSSI) 1253, which lays out the process for categorization and security control selection for NSS.

4. DoD Chief Information Officer (CIO). In March 2014, the DoD CIO published the two key policy documents that kicked off DoD’s transition to RMF. DoD Instruction (DoDI) 8500.01, entitled “Cybersecurity” presents the overarching policy, while DoDI 8510.01, entitled “RMF for DoD IT” lays out DoD’s adoption and adaptation of RMF.

3. DoD Senior Information Security Officer (SISO). The DoD SISO is responsible for overseeing the RMF Technical Advisory Group (TAG), which is responsible for maintaining the RMF Knowledge Service (RMF KS) website (the “authoritative source” for DoD RMF information).

2. Defense Information Systems Agency (DISA). DISA is specifically tasked with developing technical guidance and validation procedures for DoD information systems. In this capacity, DISA publishes a plethora of Security Technical Implementation Guides (STIGs), along with automated tools that provide assistance in assessing STIG compliance.

1. Your DoD Component. While RMF is a highly standardized process, there are still important elements that are controlled at the component level. For example, each component implements its own process for vetting and appointing Authorizing Officials (AO, formerly known as DAA), and for conducting independent assessment (aka. Validation) of information systems.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.