Stand-to! update Beginning May 2022, STAND-TO! will no longer be published on and/or distributed to its subscribers. Please continue to learn about the U.S. Army on and follow @USArmy on our social media platforms. Thank you for your continued interest in learning about the U.S. Army.

Risk Management Framework

Tuesday, January 6, 2015

What is it?

In March 2014, DOD Instruction 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) was published. The Risk Management Framework (RMF) replaces the DOD Information Assurance Certification and Accreditation Process (DIACAP) as the process to obtain authorizations to operate.

The RMF is applicable to all DOD IT that receive, process, store, display, or transmit DOD information. These technologies are broadly grouped as information systems (IS), platform IT (PIT), IT services, and IT products, including IT supporting research, development, test and evaluation (RDT&E), and DOD controlled IT operated by a contractor or other entity on behalf of the DOD.

Why is this important to the Army?

Since 2006, DOD has been using the Certification and Accreditation (C&A) process defined in the DIACAP with IA controls identified in a DOD Instruction. The RMF uses the security controls identified in the CNSS baseline and follows the processes outlined in DOD and NIST publications. With this change the DOD requirements and processes becomes consistent with the rest of the Federal government, enabling reciprocity.

The RMF is not just about compliance. Although compliance with the requirements remains the foundation for a risk acceptance decision; the decisions also consider the likelihood that a non-compliant control will be exploited and the impact to the Army mission if the non-compliant control is exploited.

The RMF introduces an additional requirement for all IT to be assessed, expanding the focus beyond information systems to all information technology. IT owners will need to plan to meet the Assess Only requirements.

Continuous monitoring of the effectiveness of security controls employed within or inherited by the system, and monitoring of any proposed or actual changes to the system and its environment of operation is emphasized in the RMF. Systems operating with a sufficiently robust system-level continuous monitoring program (as defined by emerging DOD continuous monitoring policy) may operate under a continuous reauthorization. Continuous monitoring does not replace the security authorization requirement; rather, it is an enabler of ongoing authorization decisions.

What has the Army done?

The Army was instrumental with the other combatant commands, services and agencies (CC/S/A) to encourage DOD to relook at the transition timelines. An update to 8510.01 is in DOD wide staffing which includes new timelines for RMF implementation, allowing time for the CC/S/A to plan for the transition.

With this transition the Army will move to the DOD Enterprise tool, Enterprise Mission Assurance Support Service (eMASS,) for Assess and Authorize (A&A) (formerly C&A) and retire the C&A Tracking Database (TdB) tool. Second Army has been working with RMF early adopters using eMASS to gain lessons learned that will enable a smooth transition for rest of the Army.

What does the Army have planned for the future?

The Army CIO/G-6 will publish a transition memo to move to the RMF which will include Army transition timelines. The Army CIO/G-6 will also publish a memo delegating the Security Control Assessor (SCA) (formerly the Certification Authority (CA)) responsibilities to Second Army. The memo will define the roles and responsibilities of the Army CIO/G-6 and Second Army associated with this delegation.

The Army CIO/G-6 is in the process of updating the policies associated with Certification and Accreditation. Second Army will publish a series of operations orders and fragmentary orders announcing transition phases and actions required associated with the execution of the RMF.


Subscribe to STAND-TO! to learn about the U.S. Army initiatives.