By Lon J. Berman, CISSP, RDRP
This month we will be celebrating our oldest grandson’s tenth birthday. It suddenly made me realize that with everything that’s been going on in 2020, it appears we missed another significant birthday this year – February marked the tenth birthday of the Risk Management Framework (RMF). You might be thinking, “Wait a minute. It can’t be ten years. It seems like we didn’t hear anything about RMF until four, maybe five years ago.” Well, if you’re with DoD, you may well be right. DoD did not formally adopt RMF until 2014, and it took another year or two before it even took hold in most of the DoD agencies. The big picture, however, is that RMF was initially published in NIST Special Publication (SP) 800-37 in February, 2010.
RMF is in fact the work of the Joint Task Force Transformation Initiative Interagency Working Group. If you’re thinking you saw an organization by that name in a Hollywood action movie starring Morgan Free-man, you’re wrong. That’s the name of a real organization – you can’t make up stuff like that! Let’s just call them the Joint Task Force (JTF) for short. The members of JTF include representatives of DoD, the federal civil departments/agencies, and the intelligence community (IC). The purpose of JTF is to create and maintain an information security framework “for the entire federal government”. Those are their words, but they are a bit of hyperbole. JTF has purview over the entire Executive Branch and not the entire federal government. It’s in the Constitution, folks! Of course the lion’s share of the federal government lies within the executive branch, so we’ll for-give JTF for their exaggeration. JTF’s mission is to unify the three “sectors” of the executive branch (DoD, civil departments/agencies and the IC) with an overarching methodology for information security management. The intent is to facilitate information sharing, particularly in programs that involve two or more of these “sectors”. Working in partnership with the JTF, NIST published several documents that represented the “birth” of RMF. They then left it for the three “sectors” of the executive branch to get on board and transition from their existing Certification and Accreditation (C&A) process to RMF.
The transition was the easiest for the federal civil departments and agencies since most of them were already using a C&A process based on earlier versions of the NIST publications. They were soon followed by the intelligence community, leaving DoD bringing up the rear. Now as we all know, the wheels of change turn very slowly at DoD and there was considerable debate among the various DoD components. It wasn’t about whether to adopt RMF. By virtue of its membership in the Joint Task Force, DoD was pretty well committed to making the transition. The debate was more about the how, the transition timeline, etc. Finally, in March of 2014, the DoD CIO picked up her pen and signed the publications (DoD Instructions 8500.01 and 8510.01) that marked the beginnings of what they called RMF for DoD IT. An interesting footnote to that story is that the pen the DoD CIO used to sign those publications must have been a very heavy one – it wore her out so much that she chose to retire from government service less than two months later! The formal adoption of RMF meant DoD would finally get “in sync” with the NIST publications and JTF. It took “years and tears” for many of the DoD components to get there, but now, in 2020, DoD is firmly entrenched in RMF.
Mission accomplished? Well, not quite.
In the intervening years NIST has made some significant upgrades to the key RMF publications, and DoD has yet to get on board with some of those. In particular, the security controls and assessment procedures were significantly upgraded in NIST SP 800-53 Rev 5 and the accompanying SP 800-53A. Even the RMF process itself has been upgraded in NIST 800-37 Rev 2. It remains for DoD to update DoD Instructions 8500.01 and 8510.01 to keep pace. In other words, it’s more like mission ongoing. Stay tuned!
Having said all of that … Happy (belated) Birthday, RMF.