2
Lesson 1: RMF Introduction
RMF Introduction
Let’s begin by looking back to see how the DOD transformation to the Risk Management Framework
started.
RMF Introduction (Continued)
Information Technology and systems are integral to operations at DOD. While these systems have
brought great benefits to our Mission and Business functions, they also represent a vulnerability to
our Organizational Operations.
DOD Systems are subject to threats that can have adverse effects on the confidentiality, integrity or
availability of information processed, stored, or transmitted by DOD systems
RMF Policies and Regulations
The Risk Management Framework, supported by the National Institute of Standards and Technology,
or NIST, 800-series publications and used by other federal agencies under the Federal Information
Security Modernization Act, provides a structured, yet flexible approach for managing risk resulting
from the incorporation of information systems into the mission and business processes of an
organization.
Policy Alignment
DOD aligned Cybersecurity and risk management policies, procedures, and guidance with Joint
Transformation NIST documents to create the basis for a unified information security framework for
the Federal government.
Policy Partnerships
DOD participates in Committee on National Security Systems and NIST policy development as a
vested stakeholder with the goals to create a more standardized approach to cybersecurity and to
protect the unique requirements of DOD missions and warfighters.
RMF Guidance Alignment
The RMF knowledge service is DOD's official repository for enterprise RMF policy and
implementation guidelines. The RMF knowledge service provides Cybersecurity practitioners and
managers with a single authorized source for execution and implementation guidance, community
forums, and the latest information and developments in the RMF.
DOD RMF Decisions Structure
Under the RMF, technical and non-technical features of DOD Information systems are
comprehensively evaluated in the intended environment. This allows an Authorizing Official, or AO,
to determine whether the system is approved to operate at an acceptable level of security risk based
on the implementation of an approved set of technical, managerial, and procedural countermeasures
or mitigation. We’ll explore the specifics of the framework, which consists of seven steps under the
Implementation Guidance portion of this course.