Skip to main content Skip to footer site map
Updates

Streamlining the Risk Management Framework (RMF) Process for Urgent and Emerging Capabilities : Institute for Defense Analyses , March , 2018

March 2018

Institute for Defense Analyses

Download PDF

From the executive summary: "The Department of Defense (DoD) needs to build cybersecurity into mission-critical acquisitions. The DoD Information Assurance Certification and Accreditation Process (DIACAP), which DoD established in 2007, was primarily a compliance-based process. The Risk Management Framework (RMF), published by the National Institute of Standards and Technology (NIST) in 2010 and adopted by DoD in 2014 is a risk management-oriented process. While both start at the initiation of a new system or modification to a major system, the difference lies in how to begin the process. DIACAP began fresh with each new system or major modification, whereas RMF is designed to build upon the work of other programs and systems. Unfortunately, rapid technology acquisition for operational requirements has been late to need, thereby introducing risk rather than mitigating risk and negating the original desired outcome of the RMF. Given that urgent and emerging capability acquisitions are granted rapid acquisition authorities because of a time-critical need, this report examines the question of whether the RMF process can be streamlined, adjudicated, or waived to meet the needed timely delivery to the warfighter."

Authors - Odell, Laura, DePuy, Cameron E., Fauntleroy, J. Corbin, Rabren, Tyler C., Seitz-McLeese, Miranda G.

Subjects

Authors

Odell, Laura, DePuy, Cameron E., Fauntleroy, J. Corbin, Rabren, Tyler C., Seitz-McLeese, Miranda G.

Publishers

Institute for Defense Analyses

Format

PDF - Download

Related Resources

s