RMF Step 0: Prepare
- Kie Yavorsky
- Jul 12, 2024
- 2 min read
Step 0 in the RMF process is the most forgotten in RMF. The RMF process begins with identifying the people who will fill the RMF team's roles. Next, the RMF for the organization's DoD systems is implemented. Again, the RMF process begins with identifying who will fill the RMF team's roles. Next, the RMF team implements the RMF process. The RMF Security Authorization Package must meet the standard prescribed by DoDI 8500.01. In addition, RMF team members must meet the appropriate qualification standards prescribed by DoD Directive 8140.01. (Note, until canceled and replaced by a Manual under 8570.01-M, DoD Manual 8570.01-M remains in effect). The RMF Roles page provides information on the RMF team members. Finally, the RMF team identifies RMF stakeholders, including all the people who may interact with the system throughout its lifetime. Non-U.S. citizens cannot serve as ISSMs, ISSOs, or in supervisory cybersecurity positions. When identifying RMF team members, the RMF Roles page provides an overview of all of the stakeholders who can be involved.
No-Go Relationships Between RMF Team Members
Authorizing Official (AO) cannot be or report to the Program Manager/System Manager (PM/SM), or Program Executive Officer (PEO)
Security Controls Assessor (SCA) cannot be or report to the PM/SM or PEO.
User Representatives cannot be or report to the PM/SM.
RMFs must enter all DoD systems in the DITPR or SITR, as current DITPR and SITR guidelines require. RMFs must also register SAP systems with the DoD component SAP Central Office (SAPCO). RMFs must enter new DoD systems in the DITPR or SITR at the start of the system development life cycle. Failure to do so will result in increased monetary costs and time delays down the line.
The DITPR, SITR must record the DoD system registration number – obtained from the DITPR, SITR – in the Security Plan's System Identification field. In addition, Non-traditional IT, such as weapons systems or control systems, will have their system registration number recorded in a Component-specific registry.
All Information System owners must register their systems in the Component system registry. Component websites or portals should provide detailed implementation procedures and policies. The workspace section on the Knowledge Service, which is dedicated to DoD Components, may serve as a portal.
Comments