Critical Turnaround – Converting a Customer to RMF Under a Quick Deadline

  • Background
  • Challenge
  • Method
  • Benefit

The Defense Department’s Risk Management Framework (RMF) is applicable to all DoD information technology that receives, processes, stores, displays, or transmits DoD information and follows the processes outlined in DoD and National Institute of Standards and Technology (NIST) publications. With the change in the DoD Information Assurance Certification and Accreditation Process (DIACAP), the DoD requirements and processes became consistent with the rest of the federal government.

When a Defense Department customer’s system accreditation process was behind schedule from converting DIACAP to RMF,  they requested SMS support their current needs as well as plan for future accreditation.

To provide system reaccreditation to a Defense Department agency on a condensed timeline using best practices while also implementing processes to manage future accreditations.

SMS began the project by deploying an experienced information assurance (IA) team to manage the  DIACAP-to-RMF migration. The IA team was deployed from SMS headquarters in McLean, VA to a mid-western location for two months to manage the reaccreditation process and train staff on the requirements of RMF. The SMS team provided expertise on the complexities of the RMF process, starting with proper categorization. The number of controls and checks, which can exceed 4000, depends on system categorization in the operational mission security requirements of confidentially, integrity, and availability.

SMS then created an RMF foundation and training structure for the customer that was designed not only to address the current system need, but also to ease future RMF accreditations with a process that the customer could follow for every future iteration.The training structure included access to the SMS corporate SharePoint site, which provided guides, process, links, and templates.

By training the customer’s staff on all necessary tools, providing one-on-one training, and augmenting customer staff with a RMF subject matter expert (SME) to retain institutional knowledge, SMS was able to help ensure the success of both the current and future system accreditations. The SME allowed the customer to keep the system secure, continuously improve system security, and reduced overall risk.

In addition to the RMF package being completed on time and receiving accreditation, SMS provided the support and training the customer needed to maintain the system in the future.