Friday, January 4, 2019

DoD RMF Governance

RMF Governance Tiers.GIF
  • ​Tier 1
    • DoD CIO, DoD SISO, RMF TAG, RMF KS
    • The DoD CIO directs and oversees cybersecurity risk management for DoD
    • DoD SISO, in accordance with DoDI 8500.01, represents the DoD CIO and directs and coordinates the DoD Cybersecurity Program, which includes the establishment and maintenance of the RMF
      • Advises and informs the principal authorizing officials (PAOs) and their representatives
      • Oversees the RMF TAG and RMF KS
      • Assess and validates Tier 1 Common Security Controls and publishes the list of such security controls to the RMF KS
    • RMF TAG provides implementation guidance for the RMF by interfacing with DoD Component cybersecurity programs, cybersecurity communities of interest (COI), and other entities (e.g. DSAWG) to address issues that are common.
    • RMF KS is a dynamic online knowledge base that supports RMF implementation, plannign, and execution by functioning as the authoritative sourve for RMF procedures and guidance.
  • Tier 2​
  • PAO, DoD Component CIO, DoD Component SISO
  • A PAO is apointed for each of the DoD Mission Areas (MA) (Warfighting MA (WMA), Business MA (BMA), Enterprise Information Environment MA (EIEMA), and the DoD portion of the Intelligence MA (DIMA)) and their representatives are members of the DoD ISRMC.
    • Represent the interestes fo the MA, as defined in DoDD 8115.01, and, as required, isues authorization guidance specific to the MA.
    • Resolve authorization issues witing their respetive MAs and work with the other PAOs to resolve issues among MAs.
    • Designate AOs for MA IS and PIT Systems supporting MA COIs specified in DoD 8320.2-G, in coordination with the appropriate DoD Component heads, if required.
    • Designate information security architects or IS security engineers for MA segments or systems, as needed.
  • Each DoD Component CIO, supported by the DoD Component SISO, is responsible for administration of the RMF with the DoD Component cybersecurity program. The DoD Component CIO participates in the RMF TAG, provides visibility and sharing of the RMF status of assigned SI and PIT Systems, and enforces training requirements for person participanting in the RMF process.
  • DoD Component SISOs have authority and responsibility for security control assessment and must eatablish and manage a coordinated security assessment process for information technologies governed by the DoD Component cybersecurity program.
  • Tier 3
    • Authorizing Official (AO), Information System (IS) or Platform IT (PIT)
    • DoD Component heads are responsible for the appointmetn of trained and qualified AOs for all DoD ISs and PIT Systems within their Component. AOs should be appointed from senior leadership positions within business owner and mission owner organizations to promote accountability in authorization decisions that balance missiona dn business needs and security concerns.
    • The IS or PIT System cybersecurity program consists of the policies, procedures, and activities of the ISO, PM/SM, UR, ISSM, and ISSO(s) at the system level. The system cybersecurity program implements and executes policy and guidance from Tier 1 and 2 and augments them as needed. The system cybersecurity program is responsible for establishing and maintaining the security of the system, including monitoring and reporting of the system security status.​
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)