June 27 – 28, 2018 | Washington, D.C.

| #siagov18
Understanding the RMF Process for
DOD Information Technology

Damon Lam Hank Osborne

SPAWAR SPAWAR
Space and Naval Warfare Systems
Center Atlantic
Risk Management Framework (RMF)

Presented to: Hank Osborne

SIA GovSummit and
Damon Lam

SSC Atlantic is part of the Naval Research & Development Establishment (NR&DE)
Distribution Statement A: Approved for public release; distribution is unlimited (26 June 2018)
What is Risk Management Framework (RMF)
▼ What is RMF?
▪ New authorization process that requires DoD Information Systems (IS) and Platform Information Technology
(PIT) systems to assess their Cybersecurity risks
− Replaces DIACAP
− Emphasizes Continuous Monitoring in lieu of compliance checks

▼ Goals of RMF
▪ Base authorization decisions on the acceptance of risk
and not the management of vulnerabilities
▪ Perform risk assessment throughout SDLC
▪ Improve understanding of risks to systems and missions

▼ Allows systems to potentially inherit security control implementation

▼ Security control selection and implementation occurs as part of the SDLC
▼ Uses continuous monitoring to support risk management decisions and
maintain organizational risk tolerance at acceptable levels
Reference: DoDI 8510.01, Change 2; July 28, 2017
Distribution Statement A: Approved for public release; distribution is
unlimited (26 June 2018)
Does RMF Apply to My Systems?

Reference: DoDI 8500.01

Distribution Statement A: Approved for public release; distribution is
unlimited (26 June 2018)
DoD RMF Steps
Step 1
CATEGORIZE
System
Step 6 • Categorize the system in accordance Step 2
MONITOR with the CNSSI 1253 SELECT
• Initiate the Security Plan
Security Controls • Register system with DoD Component Security Controls
Cybersecurity Program
• Determine impact of changes to the system and • Assign qualified personnel to RMF • Common Control Identification
environment roles • Select security controls
• Assess selected controls annually • Develop system-level continuous
• Conduct needed remediation monitoring strategy
• Update Security Plan, SAR, and POA&M • Review and approve Security Plan
• Report security status to AO and continuous monitoring strategy
• AO reviews reported status • Apply overlays and tailor
• Implement system decommissioning strategy

RMF
Step 5 Step 3
AUTHORIZE IMPLEMENT
System Security Controls
Step 4
ASSESS • Implement control solutions consistent with
• Prepare the POA&M
DoD Component Cybersecurity
• Submit Security Authorization Security Controls architectures
Package (Security Plan, SAR, and
• Document security control implementation
POA&M) to AO • Develop and approve Security in Security Plan
• AO conducts final risk determination Assessment Plan
• AO makes authorization decisions • Assess security controls
• SCA prepares Security Assessment
Report (SAR)
• Conduct initial remediation actions

Reference: DoDI 8510.01; May 24, 2016; Figure 3

Distribution Statement A: Approved for public release; distribution is
unlimited (26 June 2018)
DoD Control Baseline Example

Distribution Statement A: Approved for public release; distribution is

Reference: CNSSI 1253
unlimited (26 June 2018)
Control Example

Distribution Statement A: Approved for public release; distribution is

Reference: NIST 800-53r4
unlimited (26 June 2018)
DoD RMF Resources
• DoDI 8510.01, Change 2, July 28, 2017, Pages 9-39

• NIST SP 800-53r4, Chapter 2, Pages 7-27

• CNSSI 1253, Pages 1-7

• DoDI 8500.01, Pages 1-5

Distribution Statement A: Approved for public release; distribution is

unlimited (26 June 2018)
 We deliver Information Warfare capabilities
Enabling Warfighters to secure America
and promote global freedom

SSC Atlantic is part of the Naval Research & Development Establishment (NR&DE)

Web: http://www.public.navy.mil/spawar/Atlantic Facebook: http://www.facebook.com/spaceandnavalwarfaresystemscommand

Twitter: http://twitter.com/SPAWARHQ Employment opportunities: www.USAJOBS.gov
SPAWAR Small Business: http://www.public.navy.mil/spawar/Pages/SmallBusiness.aspx
SPAWAR Contract Directorate Office: https://e-commerce.sscno.nmci.navy.mil
Distribution Statement A: Approved for public release; distribution is
unlimited (26 June 2018)
10