The transition is on from Department of Defense Information Assurance Certification and Accreditation process to a Risk Management Framework for Department of Defense Information Technology process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of Information System(s) (IS) and Platform Information Technology (PIT).
What does this mean for commercial information systems (external or internal) and PIT ?
Based on what is written in the Risk Management Framework DoD Instruction 8510.01:
- This process is applicable to all IS and PIT systems, as well as DoD partnered systems where it has been agreed that DoD standards will be followed.
- IT below the information system level (e.g., products, IT services) will not be subjected to the full process described in DoDI 8510.01, March 12, 2014. However, IT below the system level must be securely configured (in accordance with applicable DoD policies and security controls), documented in the authorization package and reviewed by the responsible ISSM (under the direction of the AO) for acceptance.
I would caution that this is the initial guidance and we have no way to know what the actual impact of this will be when designated in commercial contracts and the extent of other requirements to be “below information system level”. This is definitely something we will update as the transition occurs. Ultimately having a RMF consultant under contract at the time of negotiation may support your interest in ensuring confirmation of scope and responsibilities. Praetorian Secure provides consulting and advisory services related to the DoD IT Risk Management Framework and NIST 800-53.
What are the steps in the Risk Management Framework Process Flow?
The Risk Management Framework (RMF) for DoD IT, DoDI 8510.01, March 12, 2014 enclosure 6 describes the DoD process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of IS and PIT systems.
The enclosure in DoDI 8510.01 is designed to be a companion guide to NIST SP 800-37, providing specific guidance for implementation within DoD. RMF roles at every level should refer to NIST SP 800-37 for a full description of the process, definitions, roles and responsibilities, and activities. In cases where NIST SP 800-37 conflicts with this instruction, compliance with this instruction takes precedence and is required. We included the steps and details in the process below. Contact us should you have further questions about transition to the DoDI 8510.01 Risk Management Framework or any other compliance standard you need support with (NIST, PCI DSS, ISO27001, NERC CIP, HIPAA, PII, ePHI).
Risk Management Framework (RMF) Process Flow for Information Systems and Platform IT Systems