DSS New Risk Management Framework (RMF)

Cybersecurity hallway with rows of large computer servers on either side

All involved in the National Industrial Security Program (NISP) and operating under the rigor of the NISP Operating Manual (NISPOM) are aware, on October 3, 2016, Defense Security Service (DSS)  advised all the NISP partners and cleared industry, that the transition to RMF will occur. DSS, directed, all accreditations which were expiring and new accreditations for stand-alone systems, are required to use the Risk Management Framework (RMF) guidelines.

DSS went on to provide a substantive resource center, and identifying which authorizations are grandfathered in etc.  All expiring accreditations and requests of new accreditations for stand-alone systems must be submitted to DSS using RMF guidelines.

In November 2016, DSS, via their Twitter account, provide all NISP participants (and Twitter followers) with a head’s up that late-December, DSS will be providing new System Security Plan (SSP) guidance and a template to be followed by defense contractors. The new SSP will continue to fall within the DSS RMF.

While we wait for the new guidance, it seems appropriate to review the last two months of activity which impact accredited systems. DSS RMF prepared a five-page getting started guide to facilitate the implementation of the RMF by Facility Security Officers (FSO) and their Information System Security Manager (ISSM). And, the ISSM has their own portal containing the ISSM Toolkit.

The DSS RMF uses an security industry standard, six-step process designed to ensure the security of the IT systems is constantly being monitored, assessed and improved. No longer will snapshots in time be the norm.   The six steps, as defined by the framework are: Categorize the Information System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize the Information System, Monitor the Information System – circular and continuous.

The guide includes links and directions to specific training modules and includes a recorded webinar on the framework.

  • Introduction to RMF (CS124.16)
  • Continuous Monitoring (CS200.16)
  • Categorization of the System (CS102.16)
  • Selecting Security Controls (CS103.16)
  • Implementing Security Controls (CS104.16)
  • Assessing Security Controls (CS105.16)
  • Authorizing Systems (CS106.16)
  • Monitoring Security Controls (CS107.16)
  • RMF Overview – Recorded Webinar

And keep your eye out for the new DSS System Security Plan template and guidance, it will affect how each facility secures their systems for years to come. It will no doubt be influenced and indeed may mirror many of the components found in the NIST Special Publication 800-160: Systems Security Engineering (250+ pages). The NIST guidance drives home the need to be able to trust our systems, and in order to accomplish such, continuous rigor must be engineered into the systems, and personnel adoption of the continuous cycle of the RMF.

For those who haven’t embraced the DSS Risk Management Framework, that’s a new year resolution worth making.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com