The Risk Management Framework (RMF) Knowledge Service is DoD CIO’s authoritative source for implementing the RMF and DIACAP: https://rmfks.osd.mil/ *not a public site*
DoDI 8500.01 – Cybersecurity
This DoD Instruction replaces the previous Information Assurance (IA) guidance under DoDD 8500.01, November 21, 2003.
DoDI 8510.01 – Risk Management Framework (RMF) for DoD Information Technology (IT)
This DoD Instruction replaces the previous DIACAP guidance under DoDI 8510.01, November 28, 2007.
Cybersecurity and RMF
These policies refer to the NIST 800 series. Specifically, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and NIST SP 800-53 rev 4, Security and Privacy Controls for Federal.
CNSS RMF Guidance:
CNSSI No. 1253 for CNSS Home page and select “Instructions” from Library drop down.
Security Categorization and Control Selection for National Security Systems – This document replaces previous version dated 3 March 2012. Overlays are now Appendix F vice K.
It is 11 Mar 2014 and there is nothing at all officially distributed. Check here: http://www.dtic.mil/whs/directives/index.html
There is nothing posted on the DoD CIO site: http://dodcio.defense.gov/
Nothing on the DON CIO site: http://www.doncio.navy.mil/
Since 2011 I have been hearing about DIARMF –
Rumor has it, Ms Teresa Takai signed it. That means the next step is distribution.
dod teri takai DoDI 8500 and 8510 DIARMF signed
Update:
DoDI 8500 and 8510 DIARMF have been signed and are in the process of being distributed
Implements References (c) through (f) by establishing the RMF for DoD IT (referred to in this instruction as “the RMF”), establishing associated cybersecurity policy, and assigning responsibilities for executing and maintaining the RMF. The RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-cycle cybersecurity risk to DoD IT in accordance with References (g) through (k)
We have bee calling it DIARMF for years (because thats what they originally told us the name would be. But I guess the name will be RMF for DoD IT, or just RMF… I guess.
Since we did not know what to call it, we were calling it DIARMF even on resumes. Technically we should not have called it anything since it did not officially exist for 3 years. But the thing is that some of us were in the middle of Certification & Accreditation on major projects while they were telling us the ENTIRE process was about to change.