RMF in the Department of Defense (DoD)

DoD components include the Military Departments as well as numerous agencies within the Office of the Secretary of Defense (OSD) and the Joint Chiefs of Staff (JCS) (see list below). Since 2006-7, DoD components have been utilizing the DoD Information Assurance Certification and Accreditation Process (DIACAP) as the standard process for assessment and authorization of information systems. DIACAP is a five-step life cycle process that includes:

• Initiation and Planning
• Implementation and Validation
• Certification and Accreditation
• Maintenance and Review
• Decommissioning

The DIACAP roles, responsibilities, and life cycle process are specified in DoD Instruction (DoDI) 8510.01. DIACAP focuses on compliance with a standard set of Information Assurance (IA) Controls (security requirements) that are documented in DoDI 8500.2.

As an active participant in the Joint Task Force Transformation Initiative, DoD is committed to a transformation from DIACAP to RMF. It has been suggested they will begin using the term DoD Information Assurance Risk Management Framework (DIARMF) to refer to the RMF as implemented within DoD.

A plan and time line for the “DIACAP to RMF transformation”, including publication of revised DoD Instructions, are under development within DoD, but have not been released. In the meantime, DoD components will continue to actively practice the “legacy” DIACAP process.

RMF Resource Center is addressing both present and future DoD needs. Our affiliated DIACAP Resource Center continues to offer a comprehensive DIACAP training program as well as DIACAP consulting services. In addition, we highly recommend DoD personnel begin educating themselves on RMF in order to effectively manage the upcoming transition. Our RMF Training program is therefore open to DoD employees and contractors.

DoD Components

• Military Departments
  • U.S. Army
  • U.S. Navy
  • U.S. Marine Corps
  • U.S. Air Force

• Joint Chiefs of Staff

• Office of the Secretary of Defense
  • Defense Policy Board Advisory Committee
  • Office of Net Assessment
  • Pentagon Force Protection Agency
  • Office of General Counsel
  • Defense Legal Services Agency
  • Office of Inspector General
  • Defense Criminal Investigative Service
  • Under Secretary of Defense for Intelligence
  • Defense Security Service
  • Defense Information Systems Agency
  • Under Secretary of Defense for Policy
  • Defense Security Cooperation Agency
  • Defense Prisoner of War/Missing Personnel Office
  • Under Secretary of Defense for Acquisition, Technology and Logistics
  • Defense Advanced Research Projects Agency
  • Missile Defense Agency
  • Defense Contract Management Agency
  • Defense Logistics Agency
  • Defense Threat Reduction Agency
  • Office of Economic Adjustment
  • Defense Acquisition University
  • Business Transformation Agency
  • Under Secretary of Defense for Personnel and Readiness
  • Defense Commissary Agency
  • Defense Human Resources Activity
  • Department of Defense Education Activity
  • Department of Defense Dependents Schools
  • Tricare Management Activity
  • Uniformed Services University of the Health Sciences
  • Defense Equal Opportunity Management Institute
  • Office of the Chancellor for Education and Professional Development
  • Under Secretary of Defense Comptroller
  • Defense Contract Audit Agency
  • Defense Finance and Accounting Service
  • Assistant Secretary of Defense for Networks and Information Integration
  • Assistant Secretary of Defense for Public Affairs
  • Washington Headquarters Services