Profile image
Story Views

Last Hour:
Last 24 Hours:

Better RMF Cybersecurity Training is Needed for DoD

Thursday, March 2, 2017 13:03
% of readers think this story is Fact. Add your two cents.

(Before It's News)

WASHINGTON, DC – 3/2/2017 – “RMF is a game changer and the whole defense sector needs better training than the overview courses taught by most training vendors,” says Michael Hill, CISSP-ISSEP, C|EH, the president of CyberAssure and lead instructor in a series of information security management training courses customized for the DoD.  “There has been a paradigm shift in the management of cybersecurity and a lot of the training courses approach the subject like RMF is just a name change where all you need to do is rearrange a few roles in the org chart and then it is business as usual,” he continued. “The reality is that the whole certification and accreditation model for bench marking security is being abandoned, expertise requirements have changed, new roles have been created, responsibilities have been shifted from IT departments to program managers, documentation needs to be radically more detailed, and the very definition of security has changed.  To fully commit to the new model will be extremely disruptive.  Everyone, not just IT or IA people, need to be on the same page and RMF overview training will not cut it.”

Since 2014 with the adoption of DoDI 8500.01 and 8510.01 information security operations within all Defense agencies and military organizations have been turned on their heads as the Defense Information Assurance Certification and Accreditation Program (DIACAP) was abandoned in favor of the Risk Management Framework (RMF), which has been used by the rest of the government for many years. 

The reception of RMF by DoD components has been anything but smooth.  The elevation of civilian documents to the role of DoD guidance seems to rub some long-term DoD and military information security professionals the wrong way.   “Human beings tend to resist change and find fault with the source of the change,” Hill says.  Despite the NIST by line on the guidance publications, the national security community shaped RMF.   The Joint Task Force Transformation Initiative Interagency Working Group, which includes representatives from the Civil, Defense, and Intelligence Communities have spent the better part of a decade in an ongoing effort to produce a unified information security framework for the federal government culminating in a series of National Institute of Standards and Technology (NIST) Special Publications adopted by DoD as “RMF for DoD IT” (DoDI 8510.01).    “RMF is a mature, very well designed framework for information security governance.” 

“The big mistake is to try to do RMF with a C&A mindset.  Too many in the DoD community are approaching RMF like DIACAP with 10 times the number of security controls.  RMF can be easier than DIACAP with better outcomes if everyone in the approval chain correctly understands it.  The problem is that it is not the case.  In our course, we spend only a little time on the overview of the six steps of RMF.  We spend most of the time in the critical areas of how to implement a successful RMF security program in the DoD environment and how to assess security control effectiveness.”

“Other courses out there are teaching RMF as if in a vacuum.  There is no regard for the changes from C&A that DoD cybersecurity professionals are used to.  Many of the courses are using the same manuals used for the civilian version of RMF.  What we offer is a class taught by working DoD cybersecurity professionals, real ISSOs, ISSMs, and SCA validators to close the gaps between where we were and where we are going.”

More information is available on CyberAssure RMF training at

Free Training Demo:

Media Contact
Company Name: Washington, DC
Contact Person: Anita Hill
Phone: 2024948803
Country: United States

Source: GetNews


Report abuse


Your Comments
Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

Top Stories
Recent Stories



Top Global


Top Alternative




Email this story
Email this story

If you really want to ban this commenter, please write down the reason:

If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.