Risk Management Framework

Tuesday, January 6, 2015

What is it?

In March 2014, DOD Instruction 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) was published. The Risk Management Framework (RMF) replaces the DOD Information Assurance Certification and Accreditation Process (DIACAP) as the process to obtain authorizations to operate.

The RMF is applicable to all DOD IT that receive, process, store, display, or transmit DOD information. These technologies are broadly grouped as information systems (IS), platform IT (PIT), IT services, and IT products, including IT supporting research, development, test and evaluation (RDT&E), and DOD controlled IT operated by a contractor or other entity on behalf of the DOD.

Why is this important to the Army?

Since 2006, DOD has been using the Certification and Accreditation (C&A) process defined in the DIACAP with IA controls identified in a DOD Instruction. The RMF uses the security controls identified in the CNSS baseline and follows the processes outlined in DOD and NIST publications. With this change the DOD requirements and processes becomes consistent with the rest of the Federal government, enabling reciprocity.

The RMF is not just about compliance. Although compliance with the requirements remains the foundation for a risk acceptance decision; the decisions also consider the likelihood that a non-compliant control will be exploited and the impact to the Army mission if the non-compliant control is exploited.

The RMF introduces an additional requirement for all IT to be assessed, expanding the focus beyond information systems to all information technology. IT owners will need to plan to meet the Assess Only requirements.

Continuous monitoring of the effectiveness of security controls employed within or inherited by the system, and monitoring of any proposed or actual changes to the system and its environment of operation is emphasized in the RMF. Systems operating with a sufficiently robust system-level continuous monitoring program (as defined by emerging DOD continuous monitoring policy) may operate under a continuous reauthorization. Continuous monitoring does not replace the security authorization requirement; rather, it is an enabler of ongoing authorization decisions.

What has the Army done?

The Army was instrumental with the other combatant commands, services and agencies (CC/S/A) to encourage DOD to relook at the transition timelines. An update to 8510.01 is in DOD wide staffing which includes new timelines for RMF implementation, allowing time for the CC/S/A to plan for the transition.

With this transition the Army will move to the DOD Enterprise tool, Enterprise Mission Assurance Support Service (eMASS,) for Assess and Authorize (A&A) (formerly C&A) and retire the C&A Tracking Database (TdB) tool. Second Army has been working with RMF early adopters using eMASS to gain lessons learned that will enable a smooth transition for rest of the Army.

What does the Army have planned for the future?

The Army CIO/G-6 will publish a transition memo to move to the RMF which will include Army transition timelines. The Army CIO/G-6 will also publish a memo delegating the Security Control Assessor (SCA) (formerly the Certification Authority (CA)) responsibilities to Second Army. The memo will define the roles and responsibilities of the Army CIO/G-6 and Second Army associated with this delegation.

The Army CIO/G-6 is in the process of updating the policies associated with Certification and Accreditation. Second Army will publish a series of operations orders and fragmentary orders announcing transition phases and actions required associated with the execution of the RMF.

Resources:

Subscribe to STAND-TO! to learn about the U.S. Army initiatives.

Current & Upcoming Events

  • January 2015

  • Happy New Year! View the Army's 2014 Year in Photos

  • Jan. 19: Martin Luther King's Birthday (STAND- TO! will not be published)

Quote for the Day

You can't grow a combat arms captain, let alone a colonel or general overnight. There is a need to nurture upward mobility with the right assignments. The key is to identify and polish the diamonds. And that's what we want to help the Army do.

- Retired Maj. Gen. Byron Bagby, vice president, ROTC Programs, for The ROCKS, Inc., an African-American military service organization that provides developmental guidance to members of the Army Officer Corps and ROTC cadets.

- Mentorship group meets with Army leaders at All-American Bowl

STAND-TO!

STAND-TO! is an information paper-based web platform that supports the U.S. Army’s strategic communication objectives.

The information papers -- written, approved and submitted by the Army agencies -- provide a broad, objective view of the Army’s current operations, doctrine and programs. The "Today’s Focus" topics highlight Army Staff initiatives and support Army wide strategic-level issues.

All published editions are sent to subscribers via email and archived daily in the STAND-TO! Archives.

STAND-TO! falls under the management of the Online and Social Media Division (OSMD) in the Office of the Chief of Public Affairs (OCPA).

Subscribe to STAND-TO! to learn about the U.S. Army initiatives.