The Department of Defense (DoD) released DoD Instruction 8510.01, DoD Risk Management Framework (RMF) for DoD Information Technology (IT) March 12. This instruction replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP). It specifies that all DoD IT falls under the auspices of the RMF and is broadly grouped as DoD Information Systems (IS), platform IT (PIT), IT services and IT products. This includes IT that supports research, development, testing and evaluation (T&E), as well as DoD-controlled IT operated by a contractor or other entity on behalf of the DoD. Some key transformation highlights are shown in Figure 1.
DoD also updated the foundational DoD instruction on cybersecurity, DoD Instruction 8500.01 on the same date. The update emphasizes operational resilience, integration, and interoperability; adopts the federal cybersecurity terminology into a common language; transitions DoD to the National Institute of Standards and Technology (NIST) Special Publication 800-53 Security Control Catalog; and incorporates security early and continuously within the acquisition lifecycle.
The updated DoD instructions leverage and build upon numerous existing federal policies and standards, decreasing the amount of DoD policy to write and maintain. The instructions describe how DoD will maintain alignment and transition when federal requirements and policies change.
The RMF expands upon what IT is included in the process; requires all DoD IS and PIT systems be categorized in accordance with Committee on National Security Systems Instruction 1253; requires assessment and authorization of DoD IS and PIT systems; adopts NIST’s RMF used by civil and intelligence communities; provides clarity regarding the IT that should undergo the RMF process and how; supports and promotes enterprise-level authorization of IT systems and services; embeds the RMF steps and activities in the DoD acquisition lifecycle; and strengthens enterprise-wide IT governance. The RMF requires cybersecurity risk management for all DoD IT, but not all forms of IT will be required to be both assessed and authorized. Figure 2 shows the DoD IT that is required to be assessed and authorized, and the IT that only requires assessment. Figure 3 shows the full RMF lifecycle for IS and PIT systems.
Over the multiyear DoD effort to update and align with the federal community for cybersecurity processes and requirements, the DON actively participated in many DoD and federal level working groups. These groups developed overlays (structured additions or subtractions of security control to the baseline reflecting an information type, environmental or operational considerations, like privacy or space), defined DoD enterprise specific values for security controls and developed DoD implementation guidance and validation procedures for all NIST security controls. These efforts are shaping the DoD transition to the RMF and ensure DON interests are represented and addressed in the DoD policies and processes, as appropriate.
The DoD transition to the RMF will be measured in a method similar to the DIACAP transition. IS and PIT systems, depending on the accreditation status, are required to transition within six months and up to 3.5 three years of the RMF release. (Figure 4 shows the DoD initial transition timelines.)
DoD is not requiring immediate transition to the RMF upon release to allow time for critical supporting guidance, automated tool updates, and training from DoD and the components to be developed and released. In the coming months the DON Chief Information Officer (DON CIO) will release policy addressing component specific guidance regarding transition of all DON information systems and platform IT systems to the RMF in accordance with the DoD timelines.
The DON is committed to ensuring the security of our IT systems. The DON CIO will post updated guidance related to the RMF transition as it is released.
Jennifer M. Ellett and Shaun Khalfan are Certified Information Systems Security Professionals (CISSP) and members of the Department of the Navy CIO Cybersecurity and Infrastructure Team.