This Community can only improve through your valued input - provide yours today!
                                                                                                            Click Here for SharePoint 2013 Migration Information and News
Click here   image of a classical greek architecture representing DAU's strength as a business university instructing in DoD Acquisition
HomeContactAbout ACCPrivacyTutorialDoD CertificateReport an Issue  
.

PM Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle - September 2015

Learning Materials
3
Helpful Votes
File
Benefit/Value

Department of Defense (DoD) systems and networks are constantly under cyber attack. Nearly all defense systems incorporate information technology (IT) in some form, and must be resilient from cyber adversaries. This means that cybersecurity applies to weapons systems and platforms; Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) systems; and information systems and networks. Cybersecurity is a critical priority for the DoD, and is a vital aspect of maintaining the United States’ technical superiority. DoD recently revised several of its policies to more strongly emphasize the integration of cybersecurity into its acquisition programs to ensure resilient systems. This guidebook is intended to assist Program Managers (PM) in the efficient and cost effective integration of cybersecurity into their systems, in accordance with the updated DoD policies. The guidebook is based on the following DoD policies:  

  • Department of Defense Instruction (DoDI) 8510.01, Risk  Management  Framework (RMF) for DoD Information Technology (IT), March 12, 2014; cancels the previous DoD Information Assurance Certification and Accreditation Process (DIACAP) and institutes a new, risk-based approach to cybersecurity.
  • DoDI 8500.01, Cybersecurity, March 14, 2014; establishes that cybersecurity must be fully integrated into the system lifecycle.
  • DoDI 5000.02, Operation of the Defense Acquisition System, January 7, 2015; includes regulatory cybersecurity requirements in the following Enclosures: 3 – Systems Engineering (SE), 4 – Developmental Test and Evaluation (DT&E), 5 – Operational and Live Fire Test and Evaluation (OT&E and LFT&E), and 11 - Requirements Applicable to all Programs Containing IT; establishes that cybersecurity RMF steps  and  activities should be initiated as early as possible and fully integrated into the DoD acquisition process, including requirements management, systems engineering, and test and evaluation. 

Additionally, the Joint Capabilities Integration and Development System (JCIDS) Manual, updated February 12, 2015, implements a robust cyber survivability requirement within the mandatory system survivability Key Performance Parameter (KPP). This new requirement will enhance system resilience in a cyber-contested environment or after exposure to cyber threats. 

The risk management framework (RMF) brings a risk-based approach to the implementation of cybersecurity. Transition to the RMF leverages existing acquisition and systems engineering personnel, processes, and the artifacts developed as part of existing systems security engineering (SSE) activities. Unlike a compliance-based checklist approach, the RMF supports integration of cybersecurity in the systems design process, resulting in a more trustworthy system that can dependably operate in the face of a capable cyber adversary. This guidebook emphasizes integrating cybersecurity activities into existing processes including requirements, SSE, program protection planning, trusted systems and networks analysis, developmental and operational test financial management and cost estimating, and sustainment and disposal.  

This guidebook is based on a set of key tenets that form the basis for the guidance that follows. The following tenets are not exhaustive, but do outline some of the more important concepts and principles that should be followed to successfully implement the RMF process into acquisition systems:  

  • Cybersecurity is risk-based, mission-driven, and addressed early and continually.
  • Cybersecurity requirements are treated like other system requirements.
  • System security architecture and data flows are developed early, and are continuously updated throughout the system lifecycle as the system and environment (including threats) change, to maintain the desired security posture based on risk assessments and mitigations.
  • Cybersecurity is implemented to increase a system’s capability to protect, detect, react, and restore, even when under attack from an adversary.
  • A modular, open systems approach is used to implement system and security architectures that support the rapid evolution of countermeasures to emerging threats and vulnerabilities.
  • Cybersecurity risk assessments are conducted early and often, and integrated with other risk management activities.
  • As the system matures and security controls are selected, implemented, assessed, and monitored, the PM collaborates with the authorizing official (AO), the individual responsible for ensuring the cybersecurity risk posture of the system is managed and maintained during operations, to ensure the continued alignment of cybersecurity in the technical baselines, system security architecture, data flows, and design.
  • Reciprocity is used where possible through sharing and reuse of test and evaluation products i.e., “test once and use by all.”

Popular Tags

Page Information

Popularity of this page:
#16 of 926 items
3 Helpful votes
At this page:
12563 Page Views 0 Pages Emailed
4 Meta-card Views 12778 Attachments Downloaded
1 Relationships and Highlights 0 Videos Downloaded
ID721696
Date CreatedTuesday, June 2, 2015 9:34 AM
Date ModifiedWednesday, January 20, 2016 7:20 AM
Version Comment:

REQUEST AN ACCOUNT Benefits of Membership I Forgot My Login Information
ACC Practice Center Version 3.2
  • Application Build 3.2.9
  • Database Version 3.2.9