ConvoCourses

Cyber Security Compliance and IT Jobs

8510

Risk Management Framework (RMF) for DoD Information Technology (IT)

by Leave a Comment

The Risk Management Framework (RMF) Knowledge Service is DoD CIO’s authoritative source for implementing the RMF and DIACAP: https://rmfks.osd.mil/ *not a public site*

DoD RMF Documentation:

The DoD RMF is based on DoDI 8500.01, Cybersecurity and DoDI 8500.01, Risk Management Framework (http://iase.disa.mil/rmf/Pages/guidance.aspx).

DoDI 8500.01 – Cybersecurity
This DoD Instruction replaces the previous Information Assurance (IA) guidance under DoDD 8500.01, November 21, 2003.

DoDI 8510.01 – Risk Management Framework (RMF) for DoD Information Technology (IT)
This DoD Instruction replaces the previous DIACAP guidance under DoDI 8510.01, November 28, 2007.

 

Cybersecurity and RMF
Cybersecurity and RMF

These policies refer to the NIST 800 series.  Specifically, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and NIST SP 800-53 rev 4, Security and Privacy Controls for Federal.

CNSS RMF Guidance:
CNSSI No. 1253 for CNSS Home page and select “Instructions” from Library drop down.
Security Categorization and Control Selection for National Security Systems – This document replaces previous version dated 3 March 2012. Overlays are now Appendix F vice K.

DoDI 8500 8510 DIARMF signed

by 4 Comments

DoDI 8500 8510 DIARMF signed?

It is 11 Mar 2014 and there is nothing at all officially distributed.  Check here: http://www.dtic.mil/whs/directives/index.html

There is nothing posted on the DoD CIO site: http://dodcio.defense.gov/

Nothing on the DON CIO site: http://www.doncio.navy.mil/

Since 2011 I have been hearing about DIARMF –

Rumor has it, Ms Teresa Takai signed it.  That means the next step is distribution.

dod teri takai DoDI 8500 and 8510 DIARMF signed
dod teri takai DoDI 8500 and 8510 DIARMF signed

Update:

DoDI 8500 and 8510 DIARMF have been signed and are in the process of being distributed

 Implements References (c) through (f) by establishing the RMF for DoD IT (referred to in this instruction as “the RMF”), establishing associated cybersecurity policy, and assigning responsibilities for executing and maintaining the RMF. The RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-cycle cybersecurity risk to DoD IT in accordance with References (g) through (k)
We have bee calling it DIARMF for years (because thats what they originally told us the name would be.  But I guess the name will be RMF for DoD IT, or just RMF… I guess.
Since we did not know what to call it, we were calling it DIARMF even on resumes.  Technically we should not have called it anything since it did not officially exist for 3 years.  But the thing is that some of us were in the middle of Certification & Accreditation on major projects while they were telling us the ENTIRE process was about to change.