Top Ten—What’s “new” in RMF for DoD IT?

By Lon J. Berman, CISSP
BAI Consulting

Now that DoD has “officially” begun its adoption of RMF, let’s take a look at some of the things that are “new”!

10. Cybersecurity. The word “Cybersecurity” has been part of the government IT security discussion for several years, going back to a Presidential Directive in 2008. DoD has now adopted the term Cybersecurity in place of Information Assurance.

9. A&A. With the adoption of RMF, the term “Assessment” will replace “Certification”, and “Authorization” will replace “Accreditation”. Certification and Accreditation (C&A), which has been a cornerstone of DoD IT security for 20 years or more, will henceforth be known as Assessment and Authorization (A&A).

8. Types of DoD IT. DoD now views the overall IT landscape as a collection of Major Applications, Enclaves, Platform IT (PIT), IT Services, and Products. PIT is further subdivided into PIT Systems and PIT. Some of these require assessment and authorization, while others require only assessment.

7. Categorization. DoD will now categorize systems as High, Moderate or Low for each of the three security objectives (Confidentiality, Integrity, Availability). This is in accordance with CNSS Instruction 1253, and replaces the Mission Assurance Category (MAC) and Confidentiality Level (CL).

6. Authorizing Official. Senior DoD officials responsible for accepting risk and authorizing systems for operation will henceforth be known as Authorizing Official (AO) rather than Designated Approving Authority (DAA).

5. Old titles make a comeback. IA Managers and IA Officers will once again be referred to as Information System Security Managers/Officers (ISSM/ISSO). Many of us have been in the field long enough to remember when those were the titles of choice.

4. Security Plan. A security plan will be required of every DoD IT or PIT System, including, at a minimum, an overview of the security requirements for the system and the security controls in place or planned to meet those requirements.

3. Security Control Assessor (SCA). This is the name now given to the individual or organization responsible for independently testing the security controls of DoD IT systems.

2. Continuous Monitoring. RMF for DoD IT places greater emphasis on the process for ongoing monitoring of security posture. System Owners will be required to develop and receive approval for monitoring plans early in the life cycle. In some cases, systems with robust continuous monitoring programs will be eligible for “ongoing authorization” in lieu of periodic re-authorization.

1. THE NAME. Risk Management Framework (RMF) for DoD Information Technology (IT) … “RMF for DoD IT” … is the name DoD has given to this new process for managing life cycle risk, replacing DoD Information Assurance Certification and Accreditation Process (DIACAP). This is significant because there has been so much speculation and rumor for so long, and several other names, like DIARMF and Cybersecurity RMF, have been tossed about. That’s all in the past now … “RMF for DoD IT” it is! It doesn’t exactly roll off the tongue like DIACAP (or its predecessor DITSCAP) did, but we’ll all get used to it. More than likely it will come to be called just “RMF” for short.

ITdojo offers a comprehensive, 4 day instructor-led seminar that gets you up to speed on all things RMF.  If you would like more information on this training program, please visit our RMF for DoD IT page.