The Department of Defense (DOD) has been following the DOD Information Assurance Certification and Accreditation Process (DIACAP) since 2007. On March 12, 2014, the DOD released guidance to supersede DIACAP. The process is now titled Risk Management Framework (RMF) for DOD Information Technology (IT) and numbered DOD Instruction 8510.01 . There are a number of changes associated with transitioning to the RMF process to include migrating from DOD security controls to National Institute of Standards and Technology (NIST) Security Controls.

 

The background of the DOD migrating from DIACAP to RMF began in an effort to consolidate and standardize

information risk management for the federal government. Prior to RMF, the DOD used a unique certification and

accreditation process for Information Assurance, which differed from other federal agencies.

 

Our Solution for DIARMF

There are a number of benefits to utilizing SEMAIS as a resource element for DIAMRF. First, the entire organization will operate under one process and provide a greater degree of confidence for users, to include warfighters, that the systems they are operating on a daily basis are more secure. Next, reciprocity, or the ability to leverage a previously granted authorization across agencies could be realized under a single process by using our solution strategy. Using the same security control requirements would enable a more standard approach to measuring cybersecurity risk. Additionally,  we help standardize the language used for information assurance across the entire federal government.

 

What We Deliver

Our products and service to support DIARMF provides the tools and resources to transition MAC I, MAC II, or MAC III system, IA Control Framework, artifacts, and assessment methodology based on OMB-130 and FISMA guidance. Our solutions start by examining the current system and outlining the requirements, processes, and tasks to transition the system. We will deliver the following products for the customer:

 

  • Personnel roles and responsibilities
  • Training
  • System categorization
  • Security control implementation
  • Policies and procedures
  • Documentation
  • Assessment methodolgy
  • eMass support
  • Control overlays
  • Risk Management Framework And Supporting Laws, Standards, And Regulations
  • New Requirements Under FISMA 2012
  • Steps In The RMF Process
  • Preparing And Submitting The Authorization Package
  • Understanding And Executing Continuous Monitoring
  • Practice In The Use Of Federally-Approved Security Tools

 

 

History

In March 2014, DOD Instruction 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) was published. The Risk Management Framework (RMF) replaces the DOD Information Assurance Certification and Accreditation Process (DIACAP) as the process to obtain authorizations to operate. The RMF is applicable to all DOD IT that receive, process, store, display, or transmit DOD information. These technologies are broadly grouped as information systems (IS), platform IT (PIT), IT services, and IT products, including IT supporting research, development, test and evaluation (RDT&E), and DOD controlled IT operated by a contractor or other entity on behalf of the DOD.

Our Approach

 

 

 

 

 

 

         DIARMF

Step 1—Categorize Information System

Using FIPS 199, FIPS 200, DoDI 8500.01, and DoDI 8510.01 we perform a detailed impact assessment for Security Objectives (Confidentiality, Integrity, Availability) to determine security impact assessments relates to the system

 

Step 2—Select Security Controls

Our SMEs start the security control selection procedure by identifying an initial set of baseline controls based on NIST SP 800-53 control families and tailor the selected controls based on security requirements, risk factors, overlays, and the security architect..

 

Step 3—Implement Security Controls

Our methodology for security control implementation is to utilize the security design and security architect employed for the system. This process will start by reviewing the selected controls and architectural description, and developing an implementation plan for the system or application.

 

Step 4—Assess Security Controls

We start the Security Control Assessment (SCA) by coordinating with the customer on how to utilize NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations to determine which controls have been fully implemented. This will be achieved by assessing security controls per the Security Test Plan (STP).

 

Step 5—Authorize Information System

We  work closely with the  customer to assemble the Security Authorization Package (Readiness Assessment Report (RAR), SAR, System Security Plan (SSP), POA&M, and STP) for the Authorizing Official and/or Deputy Authorizing Official’s (AO/DAO) (via the SCA) for acceptance to include artifacts, and interpret the AO’s risk determination.

 

Step 6—Monitor Security Controls

For continuous monitoring, we  use the initial state to determine the security impact of proposed or operational changes. Our methodology will extract the configuration baseline to identify changes and vulnerabilities identified from ACAS scans and IAVAs.

 

Enterprise Mission Assurance Support Service (eMASS) Support

The eMASS is  a web-based resource that automates the RMF process. It includes all the reports required by the RMF process, and it’s able to generate new reports based on the user’s needs. eMASS main vision is to allow users

to share access to specific data in near real-time, and in a secure fashion. Our eMass solutions integrates several capabilities, such as:

  • Reporting on a system’s cybersecurity compliance
  • Simplifying the RMF workflow automation
  • Standardizing the exchange of information
  • Tracking systems-security engineering during the entire life cycle

 

© 2017 Secure Manged Instruction Systems, LLC 3350 Riverwood Pkwy  Ste 1900 |  Atlanta, Georgia 30339  | Email: semais@semais.net