RMF FOR DOD IT
Risk Management Framework (RMF) for DoD IT: Even though the RMF was officially signed in March 2014, it isn’t widely used throughout the DoD. It has taken time for the DoD components to ensure their approval processes and tracking systems can handle RMF-based system authorizations. As the DoD enhances their capabilities to migrate from DIACAP to RMF, 3fold is here to assist.
If you’re transitioning from DIACAP to RMF or starting with a fresh RMF, here’s what to expect:
Depending on the system’s categorization, the number of applicable security controls is in the 300-475 neighborhood (compared to roughly 100 for DIACAP). That sounds like a lot (and it is) but the NIST-based controls are written at an easier-to-follow level than classic DIACAP-based controls to offer better direction and clearly defined assessment criteria – so there’s your silver lining.
You will definitely need your policies in place. Validators and Authorization Officials (AOs) want to ensure your policies are up-to-date and compliant with the selected security controls. Some organizations may have decent policies, some may not – but in either case, checking policies’ compliance with the 300-475ish controls is imperative.
RMF supports the continuous monitoring of controls to ensure more of a blended, rather than historic hair-on-fire-every-three-years accreditation approach. This means you’ll have automated mechanisms to continuously verify and report compliance for a portion of your security controls and the rest will be grouped into one of three annual assessments so that the entire set of controls will be validated over the course of three years.
The DoD’s reliance on DISA / NSA security configuration and implementation guides (STIGs and SRGs) carries forward to RMF. Secure servers, hosts, applications, and networks are paramount to ensuring a good foundation of security and these resources are a great help to any sysadmin trying to lock a system down.
So, whether you're looking to secure your systems/devices, develop compliant security policies, navigate the red tape surrounding compliance, conduct an independent third-party review, or just come up with a justifiable reason to pursue such an endeavor, give us a call.