Risk Management Framework

Wednesday, October 21, 2015

What is it?

The Risk Management Framework (RMF) is a set of information system security standards developed by the National Institute of Standards and Technology (NIST) with the goals of improving information security, strengthening the overall risk management process, and encouraging system reciprocity among federal agencies. Its implementation – from the strategic to tactical levels – puts the Department of Defense on the same framework as the rest of the U.S. Government. The RMF process replaces the DOD Information Assurance Certification and Accreditation Process (DIACAP) and eliminates the need for the Networthiness process. The RMF – unlike DIACAP, which only assessed systems and enclaves – assesses the technology and all things outside it.

What has the Army done?

The Network Enterprise Technology Command (NETCOM), in close coordination with the Army CIO/G6, is leading the Army’s transformation away from the DIACAP process, delivering comprehensive training, developing operational tactics, techniques and procedures (TTPs), and coaching and mentoring organizations and service providers through the RMF process. System owners, cybersecurity professionals, and other stakeholders now use the Enterprise Mission Assurance Support Service (eMASS), which automates the process and implements and enforces RMF, while improving visibility into the RMF process from beginning to end.

What does the Army have planned for the future?

Networthiness process will be eliminated. Defining requirements are currently underway, being worked by the DOD, Army Chief Information Office/G-6 (lead), and other Army organizations. Additionally, the Army is working on identifying standard framework security control inheritance; building efficiencies by leveraging work already done by Network Enterprise Centers (NECs) and higher-level service providers. NETCOM has directed organizations to identify those security controls that could be inheritable by other organizations within their installation/campus area networks.

Why is this important to the Army?

Implementing RMF will improve cybersecurity reciprocity, increase efficiency and assist with cost savings. By using the same instruments other government agencies use when assessing risk, there may be no need to re-do the costly assessment process. Having currently documented risks another agency/service has assumed or assessed – rather than assessing systems again –saves time and money. Assessments are based on assessment of the mission, intelligence requirements, criticality of the system, and risk tolerance of the Army/Command, leading to a more uniform execution of the RMF. It also standardizes language across the services and agencies, improving understanding throughout the DOD.

Resources:

Subscribe to STAND-TO! to learn about the U.S. Army initiatives.