The DoD Risk Management Framework (RMF) describes the DoD process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of Information Systems (IS) and Platform Information Technology (PIT) systems. RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP).

Manual: Defense Security Service (DSS) Assessment and Authorization Process Manual (DAAPM) – 4 Jun 2018

Website: Defense Security Service RMF

The objectives of the RMF process include: [1]

  • Incorporating cybersecurity early and robustly in the acquisition and system development life cycle.
  • Implementing a three-tiered approach to risk management that addresses risk-related concerns at the enterprise level, the mission and business process level, and the information system level.
  • Providing a risk management methodology that gives organizations a true picture of vulnerabilities caused by non-compliant controls as it relates to other risk factors (e.g. likelihood, threat, and impact).
  • Codifying system authorization reciprocity to enable organizations to accept approvals by other organizations for interconnection or reuse of IT without retesting.
  • Emphasizing information security continuous monitoring and timely correction of deficiencies, including active management of vulnerabilities and incidents.

The RMF process parallels the defense acquisition process from initiation and consists of six (6) steps: [1]

  1. Categorize System,
  2. Select Security Controls,
  3. Implement Security Controls,
  4. Assess Security Controls,
  5. Authorize System, and
  6. Monitor Security Controls.

The DoD RMF governance structure implements a three-tiered approach to cybersecurity risk management.

  • Tier 1 Strategic Level: Addresses risk management at the DoD enterprise level.  At this tier, the DoD Chief Information Officer (CIO) directs and oversees the cybersecurity risk management of DoD IT.  The Risk Executive Function is performed by the DoD Information Security Risk Management Committee (ISRMC).
  • Tier 2 Mission / Business Processes Level: At this level, the Component CIO is responsible for administration of the RMF within the DoD Component cybersecurity program.
  • Tier 3 IS and PIT Systems Level: The DoD Component Heads are responsible for the appointment of trained and qualified Authorization Officials for all DoD ISs and PIT systems within their Component.

AcqLinks and References:

Updated: 10/08/2018

Print Friendly, PDF & Email