Goodbye NIST and DIACAP, hello RMF!

For our friends in the Federal Government and military, the process of buying cybersecurity solutions and services just became significantly more straightforward. The Department of Defense and the Federal Government as a whole have finally merged their individual certification and accreditation processes into one unified process, the Risk Management Framework (RMF). So let’s break it down. RMF is replacing the NIST process on the Federal Civilian side, and the DIACAP process on the DoD side. Separately, within the DoD there were special certifications, such as Platform IT (PIT), which were used to certify systems that did not easily fit the DIACAP process. The PIT certification may have been necessary for a research and development lab, or some specific programs that are mission critical and do not directly connect to the outside world (Internet).

Here are a few ways RMF has raised the bar:

  1. Eliminated redundant processes around obtaining an ATO. In the past, if an agency or department wanted to use or integrate a system that already had an Authorization to Operate (ATO) issued by another agency, it would still have to go through its own process to determine whether the system was an appropriate fit. Technically there was a process for reciprocity by which the ATO could be recognized, but in most cases the process required as much effort as it would take to get a new ATO, so it was seldom used. RMF has eliminated the need for processes to be repeated by different agencies. Each system that has been granted an ATO by one group’s CA to be accepted by another group’s CA without going through a new review. While reviewers have had a reputation for being inconsistent, that can largely be explained by inconsistency in previous requirements for the review of each system. In other words, it was the processes, not the people.
  2. Simplified control testing. Old processes often required the testing of controls that would not be relevant or in use merely to prove that the control didn’t apply. If this doesn’t make sense to you, then you are in the majority! On the other hand, RMF only requires the testing of controls that apply before it goes into the Certification and Accreditation (C&A) process.
  3. Increased focus on risk (vs. compliance). Old processes suggested risk-based testing, such as penetration testing. RMF goes a step further by requiring testing beyond traditional vulnerability scanning in order to validate risk. RMF also requires continuous monitoring and risk assessment instead of the previous three-year point-in-time assessment.
  4. More thorough guidelines. RMF on its face seems to be a monster, encompassing more than 400 Information Assurance (IA) controls. However, this depth and breadth of these controls offer guidance in many situations that the NIST and DIACAP processes failed to address.

In short, the Risk Management Framework has introduced more meaningful, efficient and effective processes across the board.