RMF Publications

LAWS AND EXECUTIVE ORDERS

Federal Information Security Modernization Act (FISMA), 2014
OMB Circular A-130 (Managing Information as a Strategic Resource)

FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) PUBLICATIONS

FIPS 199 (Security Categorization), February 2004
FIPS 200 (Minimum Security Controls), March 2006

NIST SPECIAL PUBLICATIONS (SP)

SP 800-12 (An Introduction to Information Security), June 2017
SP 800-18 (Security Plans), Feb 2006
SP 800-30 (Risk Assessment), September 2012
SP 800-34 (Contingency Planning), May 2010
SP 800-37 Rev 2 (Risk Management Framework), December 2018
SP 800-39 (Organizational Risk Management), March 2011
SP 800-53 Rev. 4 (Security and Privacy Controls for Federal Information Systems and Organizations), January 2014
SP 800-53A Rev 4 (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans), December 2014
SP 800-53B Rev 4 (Control Baselines for Information Systems and Orgainzations), October 2020
SP 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), September 2020

Analysis of updates between 800-53 Rev. 5 and Rev. 4, by MITRE Corp. for ODNI, December 2020 (xls)
Mapping: Appendix J Privacy Controls (Rev. 4) to Rev. 5, December 2020 (xls)
Mappings: Cybersecurity Framework and Privacy Framework to Rev. 5 (xls), December 2020 (xls)

SP 800-55 Rev 1 (Performance Measurement Guide for Information Security), July 2008
SP 800-59 (National Security Systems), August 2003
SP 800-60 Rev. 1 (Security Categorization), Volume 1, August 2008
SP 800-60 Rev. 1 (Security Categorization), Volume 2, August 2008
SP 800-61 Rev. 2(Incident Response Planning), August 2012
SP 800-137 (Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations), September 2011
SP 800-137A (Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment), May 2020
IR 7298 (Glossary of Key Information Security Terms)

COMMITTEE ON NATIONAL SECURITY SYSTEMS (CNSS) PUBLICATIONS

CNSSP 22 (Risk Management Policy for NSS)
CNSSI_1253 (Security Categorization and Control Selection for National Security Systems)
CNSSI 1254 (Risk Management Framework Documentation Data Element Standards and Reciprocity Process for NSS)
CNSSI 4009 (Committee on National Security Systems (CNSS) Glossary)
Classified Information Overlay
Privacy Overlays

DEPARTMENT OF DEFENSE DIRECTIVES AND INSTRUCTIONS

DoDI 8500.01 (Cybersecurity)
DoDI 8510.01 (RMF for DoD IT)
DoDD 8140.01 Cyberspace Workforce Management, October 2022
DoDI 8140.02 Identification, Tracking, and Reporting of Cyberspace Workforce Requirements, December 2021
DoDM 8140.03 Cyberspace Workforce Qualification and Management Program, February 2023

DEPARTMENT OF DEFENSE MEMOS

Continuous Authorization (cATO) Memo, Feb 2022

INTELLIGENCE COMMUNITY (IC) PUBLICATIONS

ICD 503 (Risk Management, Certification and Accreditation)

DISA CLOUD COMPUTING SUPPLEMENTAL GUIDANCE AND INFORMATION

DISA Cloud Computing Security Requirements Guide v1r3
Best Practices Guide for DoD Cloud Mission Owners
Cloud Connection Process Guide v2
Cloud Related Baselines and eMASS Cloud Overlays Ver. 1, Rel 1
DoD Cloud Cyberspace Protection Guide
DoD Cyber Activities Performed for Cloud Service Memo
Secure Cloud Computing Architecture (SCCA) Functional Requirements (FR) v2-9
DISA Cloud Service Catalog, December 2018 (up to date as of Sept. 2020)

DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY (DCSA) PUBLICATIONS

DCSA Assessment and Authorization Process Manual (DAAPM) v2.2
DAAPM Appendix A (Security Controls)
National Industrial Security Program (NISP) eMASS Operation Guide
DoD 5220.22-M (NISPOM)

CLOUD COMPUTING SUPPLEMENTAL GUIDANCE AND INFORMATION

Cloud Smart – Federal Cloud Computing Strategy
CNSSP 32 Policy on Cloud Security
CSP Continuous Monitoring Strategy Guide
Cyber Exchange Current Cloud Service Providers 2025
DoD Authorized Cloud Services Catalog SEPT2018-1
DoD Best Practices Guide for DoD Cloud Mission Owners
DoD Cloud Authorization Process
DoD Cloud Computing Mission Owner SRG Jan 2025
DoD Cloud Connection Process Guide
DoD Cloud Cyberspace Protection Guide
DoD Cloud Service Provider SRG Jan 2025
DoD Cloud Strategy
DoD Cybersecurity Activities Performed for Cloud Service Offerings
DoD Secure Cloud Computing Architecture Functional Requirements
NIST SP 800-145 The NIST Definition of Cloud Computing

See also:

Recent Posts / View All Posts

CompTIA Continuing Education – BAI Is Pre-Approved for CEUs

Kathryn Daily | BAI Announcements, FEDRamp, Risk Management Framework, RMF Training, Security Technical Implementation Guides | No Comments

Did you know? BAI has partnered with CompTIA to become a pre-approved training provider. You can earn 1 CEU for each our of training. Our classes range from 1 day (8 CEUs) to 5 days (40 CEUs). At least 5o% of the training course content must relate to one or…

RMF Alignment with the ISC2 CGRC Exam

Kathryn Daily | Uncategorized | No Comments

By Kathryn Daily, CISSP, CGRC (Formerly CAP), RDRP BAI’s training programs were developed with the information systems professional in mind. NIST’s Risk Management Framework is one of the most widely used governance, risk and compliance frameworks in the nation and forms the core of the ISC2 CGRC Exam Content (for…

Which Security Controls Are Required? A Definitive Answer

Kathryn Daily | Uncategorized | No Comments

By Amanda Lowell, Security+CE, RDRP Folks frequently reach out to BAI to ask, “Which security controls are required for X kind of DoD system?” It’s a valid question that can also be indicative of a common misconception. The short answer is, you will have certain control overlays for your information…