Over the next few weeks, I plan to post about the RMF process. This will piggy back on and expand upon the article: My Experience with the DoD Version of the RMF.
A little background on how the DoD got to the RMF. For those that have been around a while, it started with the Rainbow series of publications, most notably the Trusted Computer System Evaluation Criteria also known as The Orange Book. This was a first go at assessing computer security. The next evolution of this effort became known as the Common Criteria. For the DoD, the next stage was the DoD Information Assurance Certification and Accreditation Process (DIACAP).
DIACAP was published in November 2007 and was intended to be implemented with the system life-cycle and was often depicted running in parallel with that life-cycle. DIACAP consisted of five stages: Initiate and plan IA C&A; Implement and validate assigned IA controls; Make Certification & Accreditation decision; Maintain Authorization to Operate (ATO) and conduct reviews; and Decommission. Each of these was further broken down in to sub steps. It set the standard for systems to meet and mandated that all findings be addressed in some manner before an ATO would be awarded. This instruction also defined the controls a system was expected to meet based on the Mission Assurance Category and Confidentiality Level.
Part of the mandate for DIACAP was FISMA. As part of FISMA, the Nation Institute of Standards and Technology was directed to establish a process and controls to be used by federal non-DoD or national intelligence systems. Out of this effort came the Risk Management Framework (RMF). This framework and the supporting publications defined processes and controls for these systems and efforts were done in parallel to the DoD and intelligence community. As part of the National Defense Authorization Act of 2013, the DoD and Intelligence community were directed to improve the security of their systems. To do that, the decision to adopt the RMF was made. As of 2016, all new systems and ATO renewals were to be done under the RMF process.
The next article in this series will cover the process and will start to dive into the first step of the RMF process.
- Department of Defense Instruction Number 8510.01. (2007). Washington DC: Department of Defense. Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/851001p.pdf
- Department of Defense Information Assurance Certification and Accreditation Process. (2017). Retrieved from https://en.wikipedia.org/wiki/Department_of_Defense_Information_Assurance_Certification_and_Accreditation_Process
- Guide for Applying the Risk Management Framework to Federal Information Systems. (2010). Nist Special Publication. Gaithersberg. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
- Trusted Computer Systems Evaluation Criteria (Orange Book). (1985). Retrieved October 6, 2011, from http://boran.com/security/tcsec.html
- Trusted Computer System Evaluation Criteria. (2018). Retrieved from https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria