RMF for Contractors and Vendors

RMF for Contractors and Vendors

Private sector organizations providing products and services to the government are subject to information security oversight by their federal customers. The nature of contractors’ involvement with RMF depends upon type of products or service provided and the specific contractual relationship.

  • “Direct support” contractors. These are companies who provide direct labor in support of government programs, typically sending contractor personnel to work at the government site alongside of government staff. Such individuals typically work under the direct supervision of a government manager and may be given information security responsibilities, including FISMA and RMF-related work.
  • Product manufacturers/vendors. These are companies who develop/manufacture hardware and/or software products intended for installation in government facilities. Examples are software developers, medical device manufacturers, environmental control system manufacturers, etc. Such organizations will be involved with RMF at several levels:
    • Ensuring their product is “FISMA compliant” (i.e., compliance with government security controls such as NIST SP 800-53 or DoDI 8500.2 )
    • Providing documentation in support of their product’s compliance
    • Supporting their government customer’s efforts to obtain security authorization (accreditation) of the product in its installed environment, in accordance with FISMA and RMF
  • Outsourced service providers. These are companies who utilize their own IT facilities to process government information. Examples are companies providing web-based education to government personnel, companies processing claims for government insurance programs, etc. Such organizations are required to work in partnership with their government customers to obtain security authorization (accreditation) of their IT infrastructure in accordance with FISMA and RMF.

RMF Resource Center is committed to supporting all the above types of contractor organizations. All of our RMF Training courses are open to contractors as well as federal employees. In addition, our instructors are available to provide “on site” RMF training at the contractor’s own facility. We have special consulting programs tailored to meet the needs of product manufacturers/vendors and outsourced service providers.


Signup to receive our Newsletter  or view archived newsletters

BAI Information Security Announces Curriculum Enhancement of “Risk Management Framework (RMF) for DoD IT” Training Program

Fairlawn, VA – March 6, 2015 – BAI Information Security today announced a substantial enhancement to the Risk Management Framework (RMF) for DoD IT training program curriculum. The revised training program, dubbed “Version 3.0,” significantly ramps up the emphasis on building skills that DoD employees and contractors will need as their programs make the transition from DIACAP to RMF.