Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Leadership and ManagementCybersecurity NewsGovernment: Federal, State and Local

From DIACAP to RMF: 5 Useful Tips to Start Your Compliance Transition Off on the Right Foot

By Adam Godfrey
leadership
RMF lifecycle

Figure 1: RMF Lifecycle. Find more at http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?id=5015

leadership
RMF lifecycle
August 23, 2016

Risk Management Framework. 

These three words are likely to bristle hairs upon the necks of information technology professionals across the U.S. Department of Defense (DOD), and for good reason. For years, the Defense Information Assurance Certification and Accreditation Process (DIACAP) has been the U.S. government’s go-to procedural mandate for securing DOD information systems, and it involves a painstaking process that we’ve evolved to accept and incorporate into our IT security management practices, ushering in a few choice words on the three-year anniversary of system authorization when it comes time to don our cybersecurity hats for re-assessment through a barrage of security controls, Defense Information Systems Agency (DISA) security technical implementation guides (STIG)/security requirement guides (SRG), vulnerability scans, plan of action and milestone (POA&M) generation and updates, etc. in an effort to ensure security compliance has been met. As of March 2014, just as we thought we had the process down, the DOD published DOD Instruction 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) to identify the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) as the new mandate on the block to be adhered to. Mandatory implementation of RMF across the DOD begins October 1, 2016, with 100-percent implementation and compliance to be reached by mid-2018. The process is derived from the NIST 800 series of publications which lay out implementation guidance in great and cumbersome detail. 

Consisting of a six-step implementation plan (see Fig. 1), the process is designed to facilitate continuous risk management and compliance, rather than the “set it and forget it” approach that was characteristic of DIACAP, requiring only re-assessment every three years and foregoing many of the proactive measures now required under RMF throughout the lifecycle of the information system. 

To date, migration to RMF from DIACAP is a measure which has been avoided like the plague by the majority of DOD organizations, as the procedural guidance is overly verbose, yet at the same time so vague as to not only how the framework may be effectively implemented within a DOD environment but, even more confusingly, how to transition from DIACAP to RMF in an efficient and sensible manner. There isn’t yet a great deal of supporting information out there on the street as to how to pull this off, or what pitfalls to look out for, but what I’m aiming to do here is provide a little bit of high-level insight into the dynamics of the conversion process from the perspective of someone who has already undergone conversion from DIACAP and implementation of RMF within a DOD enterprise environment, as well as been actively engaged in drafting guidance pertaining to implementation of RMF for the DOD. While I’ll not delve into the intricacies of the RMF implementation/conversion process, these are some simple lessons-learned that will hopefully guide you into a positive course of action in relation to your DIACAP-to-RMF transition efforts.

  1. This isn’t DIACAP. Accept it and move on:Avoid at all costs the tendency to compare everything under RMF to DIACAP. On the surface, it may be easy to assume similarities between the two are greater than they truly are. They’re not. Avoid the trap of locking into a cycle of meetings and discussions centered around how things were done under DIACAP, versus what is required under RMF. Here’s the trick… let go of the past. This isn’t DIACAP and, although existing documentation, procedures, etc. are tremendously useful in jump-starting the RMF development and implementation process, the majority of documentation will have to be re-worked anyway to meet RMF-specific mandates that didn’t exist under DIACAP. Save yourselves some time by collecting all existing artifacts you’re able to gather and get going with the re-writes to meet RMF requirements. There’s a long road ahead and no time for debate over how to beat the process. The only way to beat it is to not provide the explicit information called for under RMF in the RMF-required format, and to do so would be to submit to non-compliance.
  2. Be mindful of your resources:Prior to initiation of the RMF conversion process, assess your current resources and cast assumptions aside that RMF may undergo efficient implementation on a DIACAP budget. It cannot. Rather than start off down this trail, only to find out mid-way through that, due to lack of resources, you're unable meet the requirements of the assessment and authorization (A&A) process without completely abandoning your primary organizational mission, ensure you are adequately staffed and funded to accommodate such a rigorous transition. Although this may not be the case for all, there is a high likelihood that additional contractors or other supporting personnel will need to be called in for reinforcement.
  3. Don’t get carried away. Start with the basics:While on a surface level, it’s easy to assume that RMF is simply yet another framework that carries on in the tradition of DIACAP and the preceding DITSCAP, this couldn’t be farther from the truth. While this may be viewed as an opportunity to revamp information security management practices via application of additional processes, alterations to methodology, etc., you’re advised to stand down and weather the storm ahead before cruising into the heart of it, armed with only a wet map and a dinghy. The complexity of the RMF implementation process is staggering, consisting of (depending upon system categorization and overlays applied) not merely hundreds of security controls, but thousands of correlation control identifiers (CCI’s) which act as singular controls within themselves. Each one of these CCI’s represent an actionable component of the overarching security control. Where DIACAP used to group all actionable items under one control without delineation between them, RMF lists each requirement out under unique identifiers, forcing responsible parties to independently acknowledge every single one and document accordingly within the security authorization package management tool of choice. At the helm of each of the 18 security control families is a separate policy which will need to be drafted, each requiring extensive review and concurrence amongst stakeholders, ensuring feedback of all departments is considered before signing into action. Throughout the aforementioned CCI’s will be various plans, guidance, etc., which are all mandates under RMF and must be in place prior to authorization is rendered. These are only the beginning, and it’s imperative that your professional staff aren’t subjected to the burden of unnecessary visions of change that less-involved or non-technical managerial staff may be tempted to instate. There is always time for change later. Focus on executing the basics and get to know the core process first.
  4. Hosting enclaves first, subordinate systems next:If there ever arises the debate regarding whether to transition hosting enclaves or subordinate systems first, the answer is this; hosting enclaves. Due to the nature of inherited controls, the many-to-one, umbrella nature of control complexity under RMF is more favorable to issuing inheritance to a DIACAP-accredited system, rather than receiving. You will encounter many scenarios in which several DIACAP controls may fit comfortably inside a single RMF control. Remember those CCI’s? It’s this reason that RMF controls are better-equipped to cover a broader range of requirements, per-control, than DIACAP. Additionally, if using an authorization package management suite such as Enterprise Mission Assurance Support Service (eMASS) or Xacta IA Manager, one is unable to issue or receive inheritance to or from dissimilar accreditation frameworks. In other words, if you want to use the system to inherit a DIACAP control to satisfy an RMF control on a lower level, this cannot be done. That being said, neither can the opposite, but it makes more managerial sense to transition a hosting enclave first, followed by subordinate systems to begin picking up inheritance as they cross over to the dark side alongside their hosting big brother. In the interim, inheritance relationships may be tracked and documented via external memorandums of acceptance/understanding (MOA/MOU) and electronically instated later as RMF transitions unfold on the subordinate level.
  5. Clean up your artifacts:As roles and requirements have changed under RMF, existing artifacts that were once issued under DIACAP will require re-creation, even if their expiration is open-ended. As RMF mandates call for provision of artifacts in support of specific roles, procedures, etc., verbiage and processes will require alteration to render them usable under the new framework. As a part of this process, take a moment to re-evaluate the necessity of each artifact and resist the urge to transition the full load from the old package to the new package when converting to RMF. Odds are, the majority of these artifacts are redundant, unnecessary or inapplicable, expired or otherwise simply no longer desirable or welcome additions to the new accreditation package. Use this opportunity to do some spring cleaning where your supporting documentation is concerned and move into RMF with clear vision pertaining to not only to where you stand, but also where you’re headed.

As the RMF transition process is riddled with head-scratching moments and endless meetings that can potentially lock up weeks of valuable work time, these are some basic tips that, although very high-level and seemingly-simplistic, may shave days, weeks, or even months off of your implementation schedule if entering into the process with a general awareness of these pitfalls and how to avoid them early-on.

Enjoyed this piece? Follow Adam on LinkedIn, Twitter and Facebook. If you liked what you read, please share, like and comment.

KEYWORDS: cybersecurity compliance NIST cyber security framework security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Adam Godfrey, CISSP, is a Cybersecurity Policy and Compliance Consultant to the Department of Defense (DoD) for Booz Allen Hamilton. He has spent more than 16 years supporting the DoD in the areas of cybersecurity policy and guidance, IT project management, systems administration, cybersecurity compliance auditing, cybersecurity incident response, and cybersecurity awareness education of DoD personnel.   You can follow him on Twitter, Facebook and LinkedIn. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • office-enews

    Certifiably Obstinate: The Hidden Value of the Less Experienced

    See More
  • Zuckerberg-webcam

    The Real Surprise Behind Zuckerberg’s Taped Webcam and Microphone Reveal

    See More
  • SEC0820-Data-Feat-slide1_900px.jpg

    Data Protection by Design: Eight Questions to Help Protect User Data from the Start

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • 9780367221942.jpg

    From Visual Surveillance to Internet of Things: Technology and Applications

  • facility manager.jpg

    The Facility Manager's Guide to Safety and Security

See More Products
×
Figure 1: RMF Lifecycle. Find more at http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?id=5015

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!