Introduction to RMF for DoD IT

The RMF, a well-defined structure that integrates security and risk management activities into the system development life cycle, authorizes their use in the Defence Department. C&A's traditional role as a static, routine activity has been changed to one that is more dynamic, providing the capability to more effectively manage information system-related security risks in various complex and sophisticated cyber threats and growing system vulnerabilities. The RMF applies to all DoD IT that receives, processes, stores, displays, or transmits DoD information. The RMF includes DoD information systems, platform IT (PIT), IT services, and IT products.

The RMF has the following characteristics:

• Promotes the concept of ongoing risk management and ongoing information system authorization through continuous monitoring processes.

• Automation is encouraged to provide senior leaders with the necessary information to make cost-effective, risk-based decisions concerning the organizational information systems supporting their core missions and business functions.

• More fully integrates information security into the enterprise architecture and system development life cycle.

• Promotes reciprocity and reuse of test results and assessment documentation as the norm, thus saving time and resources while enhancing interoperability.

• Links information system-level risk management processes to organization-level risk management processes through a risk executive (function).

• Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).

Risk management is an ongoing process that involves continuous monitoring, and information system authorization is an ongoing process that involves continuous monitoring. To implement senior leaders' cost-effective, risk-based decisions regarding the information systems used to support their company's key missions and core operations, automation is used to deliver the necessary information. As a result, the integration of information security into the corporation's architecture and system development cycle is more fully done. Reciprocity and sharing test results and assessment documents are expected as the norm, thus saving time and resources while enhancing interoperability. Through a risk executive (function), risk management processes at the information system level are linked to risk management processes at the organization level. Organizations are held accountable and responsible for the security controls deployed in their information systems by linking the organization-level risk management process to the information system-level risk management process.

The RMF provides direct responsibility and accountability for security controls within the corporate information system inherited by those systems.

• Categorize the information system and the information processed, stored, and transmitted by that system based on impact analysis.

• Select an initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

• Implement the security controls and describe how they are employed within the information system and its operating environment.

• Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome for meeting the security requirements for the system.

• Authorize information system operation based on determining the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

• Monitor the security controls in the information system on an ongoing basis, including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the system's security state to designated organizational officials.

DoDI 8500.01, "Cybersecurity," and DoDI 8510.01, "Risk Management Framework for DoD Information Technology," were revised to replace the DoD DIACAP and establish the RMF. The RMF KS and eMASS are dedicated to supporting and enhancing the RMF's implementation. eMASS adds automation and management of the DoD Cybersecurity Program and other cybersecurity services to the existing program. In addition, current enterprise policy and guidance will be disseminated via the KS to help further promote online collaboration.

Acronym dictionary:

CI - Counterintelligence

CIO - Chief Information Officer

CNSS - Committee on National Security Systems

CNSSI - Committee on National Security Systems Instruction

DIA - Defense Intelligence Agency

DIACAP - DoD Information Assurance Certification and Accreditation Process

eMASS - Enterprise Mission Assurance Support Service

IA - Information Assurance

IO - Information Owner

IS - Information System

IT - Information Technology

KS - Knowledge Service

LE - Law Enforcement

MA - Mission Area

NIST - National Institute of Standards and Technology

NSS - National Security System

PIT - Platform Information Technology

RMF - Risk Management Framework

Glossary:

Authorization - Access privileges granted to a user, program, or process or the act of granting those privileges.

Common controls - A security control inherited by one or more organizational information systems.

Continuous monitoring - The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes the following:

1. The development of a strategy to regularly evaluate selected IA controls/metrics.

2. Recording and evaluating IA-relevant events and the effectiveness of the enterprise in dealing with those events.

3. Recording changes to IA controls or changes that affect IA risks.

4. Publishing the current security status to enable information-sharing decisions involving the enterprise.

Cybersecurity - Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Defined in National Security Presidential Directive-54/Homeland Security Presidential Directive-23.

IA - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include restoring information systems by incorporating protection, detection, and reaction capabilities.

IO - The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision-making process, information, and information systems while protecting our own.

IS - A discrete set of information resources organized for collecting, processing, maintaining, sharing, disseminating, or disposing of information. Note: Information systems include specialized systems such as industrial/process control systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

IT - Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which 1) requires the use of such equipment or 2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment, software, firmware, similar procedures, services (including support services), and related resources.

MA - A defined area of responsibility with functions and processes contributing to mission accomplishment.

Operational resilience - The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission-related functions.

Overlay - A specification of security controls and supporting guidance used to complement the security control baselines and parameter values in CNSSI No. 1253 and to complement the supplemental guidance in NIST SP 800-53. An overlay's specifications may be more stringent or less stringent than the controls and guidance complemented.

System development life cycle - The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

UC - The integration of voice, video, and/or data services delivered ubiquitously across a secure and highly available network infrastructure, independent of technology, to provide increased mission effectiveness to the warfighter and business communities.

UR - User Representative (COMSEC): Individuals authorized by an organization to order COMSEC keying material and interface with the keying system, provide information to key users, and ensure the correct type of key is ordered.