Risk Management Framework.
These three words are likely to bristle hairs upon the necks of information technology professionals across the U.S. Department of Defense (DOD), and for good reason. For years, the Defense Information Assurance Certification and Accreditation Process (DIACAP) has been the U.S. government’s go-to procedural mandate for securing DOD information systems, and it involves a painstaking process that we’ve evolved to accept and incorporate into our IT security management practices, ushering in a few choice words on the three-year anniversary of system authorization when it comes time to don our cybersecurity hats for re-assessment through a barrage of security controls, Defense Information Systems Agency (DISA) security technical implementation guides (STIG)/security requirement guides (SRG), vulnerability scans, plan of action and milestone (POA&M) generation and updates, etc. in an effort to ensure security compliance has been met. As of March 2014, just as we thought we had the process down, the DOD published DOD Instruction 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) to identify the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) as the new mandate on the block to be adhered to. Mandatory implementation of RMF across the DOD begins October 1, 2016, with 100-percent implementation and compliance to be reached by mid-2018. The process is derived from the NIST 800 series of publications which lay out implementation guidance in great and cumbersome detail.