The Department of Defense has directed the DoD acquisition workforce to follow the guidance in the DoD Program Manager's Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) ... "to assist acquisition Program Managers and their teams in effectively applying the cybersecurity risk management framework to design, build, and test systems addressing cybersecurity capability requirements to operate in a cyber-contested environment.
“The guidebook explains key concepts and activities for successful implementation of RMF activities and aligns them with all phases of the Department of Defense acquisition lifecycle, including development, operational testing, fielding, and sustainment," wrote Department of Defense Chief Information Officer Terry Halvorsen and Under Secretary of Defense for Acquisition, Technology, and Logistics Frank Kendall in a joint memo signed Oct. 30
The guidebook describes in detail the cybersecurity-related roles and responsibilities, as well as the development and maturation of cybersecurity artifacts and activities.
Halvorsen and Kendall wrote: “A vital aspect of maintaining U.S. technological superiority and military readiness is ensuring cybersecurity of our information technology systems, weapon systems, and networks.
Program Managers must assume that the system they field, including their external interfaces, will be under cyber attack. By implementing the practices in the referenced guidebook, programs will be able to more effectively plan, design, develop, test, manufacture, and sustain systems that are more resilient in the face of cyber warfare conducted by a capable adversary.
“To be cost-effective, cybersecurity must be addressed early within acquisition and be thoughtfully integrated with systems engineering, test and evaluation, and other acquisition processes throughout the system lifecycle.
“Information, such as system security engineering guidance, sample language for consideration in requests for proposal and contracts, and the cybersecurity risk assessment process, is also presented to assist Program Managers.”
The guidebook will be updated as lessons learned are identified to ensure that the cybersecurity guidance remains timely, relevant, and actionable, according to the memo.
Download the "DoD Program Manager's Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle," Version 1.0, MAY-26-2015 at https://acc.dau.mil/CommunityBrowser.aspx?id=721696&lang=en-US.