The Department of Defense (DoD) has many responsibilities regarding Risk Management Framework (RMF). According to DoD instruction from a 2016 publication, enclosure 2, the agency clearly defines the roles and responsibilities for RMF (“DoDI”, 2016). The DoD Chief Information Officer (DoD CIO) is responsible for overseeing all of the policies and procedures and their implementation in RMF. The Director, Defense Information Systems Agency (DISA) assists in the implementation of RMF policies and procedures, and trains staff on how to use them. The Secretary of Defense for Acquisition, Technology and Logistics assists with the implementation of RMF with an emphasis on defense systems. The Director, National Security Agency promotes information security, creates risk models and assessments. DoD Component Heads ensure that RMF procedures correspond with the agency policies. The CJCS is responsible for communicating policy with all the various staff members to keep everyone focused on delivering specific inputs and outputs for RMF. The Commander is responsible for authorization for military resources like nuclear energy and defense systems.
These individuals have a direct impact on the United States’ ability to apply RMF policies and procedures domestically, nationally and internationally. The Department of Homeland Security (DHS) focuses primarily on cybersecurity within the U.S., but can also provide assistance to DoD. These nine individuals are responsible for the entirety of RMF procedures across the Federal government. Their work impacts the country’s national security, international reputation, and American lives within the states and those in the military.
RMF is a reliable approach for risk assessment and operations by government or any organization. However, like all policies and procedures, RMF has derived from previous frameworks. The DoD created The Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) that was implemented for 10 years. DoD Information Assurance Certification and Accreditation Process (DIACAP) was implemented and became the next innovation. It featured “a static, milestone driven process, triennial reaccreditations, annual security reviews, periodic patch updates and DoD security controls” (“DIACAP”, 2012). RMF provided innovations in the following areas: “dynamic, ongoing process, continuous reauthorizations, continuous monitoring, real-time compliance reporting, and NIST security controls.”
Even though policies needed to evolve over the years, the DoD has cemented an RMF strategy that is considered a best cybersecurity strategy with the following steps: categorize, select, implement, asses, authorize and monitor. These six steps have proven to be more reliable than their predecessors. RMF has stronger policies and procedures which have led to more accurate, data driven outputs than the two previous approaches. This document’s proceeding analysis will attempt to answer the question of “why and how the DoD needed to update its cybersecurity strategies to develop RMF?”
It is interesting to study the transition from DIACAP to RMF. DoD discovered that they needed a newer solution than DIACAP. They created a joint task force (JTF) to generate recommendations for a new solution. This led to the creation of Revised 8500 Series policies (“DIACAP”, 2012). DoD currently uses 8500 series publications for intelligence on its RMF. It is an important research question to ask why and how the DoD established RMF after implementing previous policies successfully. It is significant to pinpoint that the DoD is like other organizations that apply technology, they are constantly researching ways to improve RMF. These research and development efforts contributed to the RMF that exist today. It is possible that the DoD was looking to develop a solution that was more flexible and had the capability to reduce risk for all government systems. The DoD discovered how to provide a framework for all government systems and systematic methods of defining roles and responsibilities. RMF has many specific advantages: cost-saving method of security for CIOs, increases deployment solutions for warfighters, increase security for businesses and government system owners, and integrate security controls for system developers (“DIACAP”, 2012).
Research indicates that the reason why the DoD needed to establish RMF was because government needed the ability to integrate with modern software and hardware. DIACAP was successfully implemented on systems at the DoD, but it did not offer integration with many of the other government departments.
RMF is a paramount innovation. It improves system categorization, continuous monitoring and authentication. It also provides DoD with more security controls. RMF excels at generating security reports. Its resources can be pooled with systems from other departments. RMF can be used for preventative or corrective measures during military conflict. RMF is more technical and operational, which is a benefit for all organizations.
Future innovation of RMF and other solutions throughout history must continue to secure the confidentiality, integrity and availability of all data and systems (Gantz & Newnes, 2013). The tasks, controls and control enhancements are sufficient tools cybersecurity can use to promote the CIA Triad. It is also important to remember that threat agents are also constantly changing, which means that research and development for RMF should also continue to evolve in order to reduce risk or mitigate today’s common and emerging threats.
References
DIACAP to Risk Management Framework (RMF) Transformation. (2012, October 1). Retrieved September 6, 2020, from https://csrc.nist.gov/CSRC/media/Events/ISPAB-OCTOBER-2012-MEETING/documents/ispab_oct2012_dcussatt_dod-rmf-transition-brief.pdf
DoDI 8510.01: RMF for DoD IT. (2016). United States of America Department of Defense. doi:https://www.hsdl.org/?view&did=793050
Gantz, S. P., & Philpott-Newnes, D. R. (2013). FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security. Waltham, MA: Elsevier. doi:https://books.google.com/books?hl=en&lr=&id=vpeEDpd-QekC&oi=fnd&pg=PR1&dq=DIACAP+to+Risk+Management+Framework&ots=GIkX_YxYXA&sig=T1ftlx7d4JVoFvsrnZZ7DQl–DI#v=onepage&q=DIACAP%20to%20Risk%20Management%20Framework&f=false