DoD RMF Part 1: How We Got to the RMF

Over the next few weeks, I plan to post about the RMF process.  This will piggy back on and expand upon the article: My Experience with the DoD Version of the RMF.

A little background on how the DoD got to the RMF.  For those that have been around a while, it started with the Rainbow series of publications, most notably the Trusted Computer System Evaluation Criteria also known as The Orange Book.  This was a first go at assessing computer security.  The next evolution of this effort became known as the Common Criteria.  For the DoD, the next stage was the DoD Information Assurance Certification and Accreditation Process (DIACAP).

DIACAP was published in November 2007 and was intended to be implemented with the system life-cycle and was often depicted running in parallel with that life-cycle.  DIACAP consisted of five stages: Initiate and plan IA C&A; Implement and validate assigned IA controls; Make Certification & Accreditation decision; Maintain Authorization to Operate (ATO) and conduct reviews; and Decommission.  Each of these was further broken down in to sub steps.  It set the standard for systems to meet and mandated that all findings be addressed in some manner before an ATO would be awarded.  This instruction also defined the controls a system was expected to meet based on the Mission Assurance Category and Confidentiality Level. 

Part of the mandate for DIACAP was FISMA.  As part of FISMA, the Nation Institute of Standards and Technology was directed to establish a process and controls to be used by federal non-DoD or national intelligence systems.  Out of this effort came the Risk Management Framework (RMF).  This framework and the supporting publications defined processes and controls for these systems and efforts were done (Read more...)