The Risk Management Framework (RMF) Knowledge Service is DoD CIO’s authoritative source for implementing the RMF and DIACAP: https://rmfks.osd.mil/ *not a public site*
DoD RMF Documentation:
The DoD RMF is based on DoDI 8500.01, Cybersecurity and DoDI 8500.01, Risk Management Framework (http://iase.disa.mil/rmf/Pages/guidance.aspx).
DoDI 8500.01 – Cybersecurity
This DoD Instruction replaces the previous Information Assurance (IA) guidance under DoDD 8500.01, November 21, 2003.
DoDI 8510.01 – Risk Management Framework (RMF) for DoD Information Technology (IT)
This DoD Instruction replaces the previous DIACAP guidance under DoDI 8510.01, November 28, 2007.
These policies refer to the NIST 800 series. Specifically, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and NIST SP 800-53 rev 4, Security and Privacy Controls for Federal.
CNSS RMF Guidance:
CNSSI No. 1253 for CNSS Home page and select “Instructions” from Library drop down.
Security Categorization and Control Selection for National Security Systems – This document replaces previous version dated 3 March 2012. Overlays are now Appendix F vice K.