Just recently, the Defense Department has announced it’s plan to transition from the DoD Information Assurance Certification and Accreditation Process, or DIACAP, to the NIST’s Risk Management Framework (RMF). This means, for the first time, defense, intelligence and civilian federal agencies will all use the same set of risk management standards. On March 12, DoD Chief Information Officer Teresa Rakai issued an instruction guide for the department to assist with the transition. Is your organization making the transition? Here’s some basic information you need to know about RMF:
Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, organizations should understand the likelihood that an event will occur and the resulting impact. With this information, organizations can determine the acceptable level of risk for delivery of services and can express this as their risk tolerance. With an understanding of risk tolerance, organizations can prioritize cybersecurity activities, enabling organizations to make informed decisions about cybersecurity expenditures.
The following activities are related to managing organizational risk are paramount to an effective information security program:
- Step 1: Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis
- Step 2: Select an initial set of baseline security controls for the information system based on the security categorization
- Step 3: Implement the security controls and document how the controls are deployed within the information system and environment of operation
- Step 4: Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome
- Step 5: Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the information system and the decision that this risk is acceptable
- Step 6: Monitor and assess selected security controls in the information system on an ongoing basis
The primary goal behind DoD’s adoption of the NIST RMF process is to improve the ability in all areas of the federal government to develop defenses to threats emanating from cyberspace. It’s important to remember, with anything IT related, things are constantly evolving and nothing is set in stone. The RMF will continue to evolve in the coming weeks, months and years. And NSTi is here to guide you and assist with your RMF needs. Our System Security Practitioners Course takes an in-depth dive into the RMF and walks through the important documents surrounding the RMF. Even more, our consultants are standing by to assist with the transition at your organization today!