On March 12, 2014 the DoD released a new policy that makes it official that the DoD Information Assurance Certification and Accreditation Process (DIACAP) is being put to bed in favor of a "new" Risk Management Framework (RMF). The news is not a revelation as it has been in the works for a few years now.
The new framework will be mapped to the already established principles defined in the NIST Risk Management Framework.
One expected benefit from this transition is a harmonization in terminology between the private and government sectors.
The NIST risk-based approach follows a 6-step process that includes:
- Categorize – Based upon an impact analysis, categorize an information system and the information is woks with (processes, stores, transmits, etc.)
- Select – Based on step 1, select baseline security controls appropriate for the needs of the organization. NIST Special Publication 800-53 provides guidance on this.
- Implement – Put the controls into use (i.e implement them) and document, document, document.
- Assess – Make sure the controls are correctly implemented and are performing as anticipated. NIST Special Publication 800-53 A provide guidance on this.
- Authorize – authorized the system to operate based on the risk evaluation. Check out NIST Special Publication 800-37 Rev. 1 for information on authorizing federal systems to operate.
- Monitor – Monitor and assess in an ongoing fashion to make sure systems and controls continue to work effectively. Check out NIST Special Publication 800-37 Rev. 1 for information on monitoring.
ITdojo now has three courses to help with the transition if your organization has not already made it. They are:
Risk Management Framework (RMF) for DoD IT Training
Risk Management Framework (RMF) for FISMA IT Training
Information Security Continuous Monitoring (ISCM) Training
Cheers,
Colin Weaver