Professional Documents
Culture Documents
| #siagov18
Understanding the RMF Process for
DOD Information Technology
SSC Atlantic is part of the Naval Research & Development Establishment (NR&DE)
Distribution Statement A: Approved for public release; distribution is unlimited (26 June 2018)
What is Risk Management Framework (RMF)
▼ What is RMF?
▪ New authorization process that requires DoD Information Systems (IS) and Platform Information Technology
(PIT) systems to assess their Cybersecurity risks
− Replaces DIACAP
− Emphasizes Continuous Monitoring in lieu of compliance checks
▼ Goals of RMF
▪ Base authorization decisions on the acceptance of risk
and not the management of vulnerabilities
▪ Perform risk assessment throughout SDLC
▪ Improve understanding of risks to systems and missions
RMF
Step 5 Step 3
AUTHORIZE IMPLEMENT
System Security Controls
Step 4
ASSESS • Implement control solutions consistent with
• Prepare the POA&M
DoD Component Cybersecurity
• Submit Security Authorization Security Controls architectures
Package (Security Plan, SAR, and
• Document security control implementation
POA&M) to AO • Develop and approve Security in Security Plan
• AO conducts final risk determination Assessment Plan
• AO makes authorization decisions • Assess security controls
• SCA prepares Security Assessment
Report (SAR)
• Conduct initial remediation actions
SSC Atlantic is part of the Naval Research & Development Establishment (NR&DE)