RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and adopts the term cybersecurity in place of information assurance.
The RMF process is applicable to all IS and PIT systems, as well as DoD partnered systems where it has been agreed that DoD standards will be followed. IT below the system level (e.g., products, IT services) will not be subjected to the full RMF process. However, IT below the system level must be securely configured (in accordance with applicable DoD policies and security controls), documented in the authorization package and reviewed by the responsible Information System Security Manager (under the direction of the Authorizing Official) for acceptance or connection into an authorized computing environment.
The RMF process consists of six steps: Categorize System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize System, and Monitor Security Controls. This process parallels the system life cycle, with the RMF activities being initiated at program or system inception (e.g., documented during capabilities identification or at the implementation of a major system modification).
The DoD RMF governance structure implements a three-tiered approach to cybersecurity risk management. Tier 1 is the strategic level, and it addresses risk management at the DoD enterprise level. At this tier, the DoD Chief Information Officer (CIO) directs and oversees the cybersecurity risk management of DoD IT. The Risk Executive Function is performed by the DoD Information Security Risk Management Committee (ISRMC).Tier 2 is the Mission / Business Processes level. At this level, the Component CIO is responsible for administration of the RMF within the DoD Component cybersecurity program. Tier 3 is the IS andPIT Systems level. Here, the DoD Component Heads are responsible for the appointment of trained and qualified Authorization Officials for all DoD ISs and PIT systems within their Component.
Michael is certified in and has authored courses in Cisco ICND 1 & 2, EC|Council Certified Ethical Hacker, CompTIA Security+, Network+, Linux+, and CASP, ISACA CISM, and CISA, and ISC2 CISSP and CAP. With an active TS/SCI, he’s been a speaker at the Atlanta Advanced Persistent Threat (APT) Summit, NETCOM Cybersecurity Workshop and Cybersecurity informational workshops for corporate companies like HP, Booze Allen and Northrup Grumman, Harris Communications and others.