The Defense Department is transitioning to a new approach to authorize its IT systems. The Risk Management Framework (RMF) will replace the DoD Information Assurance Certification and Accreditation Process (DIACAP).
This new approach should let owners, operators and defenders of IT systems better understand and manage the risks posed by threats and vulnerabilities to DoD networks and data.
While managing risk is more difficult than checklist compliance with cybersecurity regulations, officials said it produces better results.
RMF is years in the making
The move from DIACAP to RMF is not new — it began about four years ago with DoD Instruction 8510.01, issued in March 2014, said Ed Brindley, DoD’s acting deputy chief information officer for cybersecurity.
“It offered an opportunity to get federal civilian agencies, DoD, and the intelligence community all using the same process,” he said.
Because DoD requires an authority to operate (ATO) as each IT system comes online, and mandates a reauthorization every three years, the use of the RMF has been phased in. Ron Ross, Joint Task Force Transformation Initiative project leader for the National…
Read More…