HomeMission AreasCritical Technology ProtectionIndustrial Security Field Operations (IO)NISP Authorization Office (NAO)RMF

Industrial Security

Risk Management Framework

Risk Management Framework (RMF) Transition Plan

Current authorizations are grandfathered and systems can continue to process under existing authorizations until expiration. See transition timeline below:

System Type Transition Timeline / Instructions
Multi-User Standalone (MUSA) / Single-User Standalone (SUSA)
  • Execute RMF Assessment and Authorization through the Defense Assessment and Authorization Process Manual (DAAPM).
  • Standalones are no longer allowed to be self-certified under the C&A Process.
  • Be Proactive and Plan Ahead. RMF is a new process for both ISSPs/SCAs and ISSMs. Therefore, RMF Authorizations may take additional time depending on RMF training, knowledge, and tools.
Local Area Network (LAN)/ Wide Area Network (WAN) Phase 1: Continue using the current C&A process with the latest version of the ODAA Process Manual. ATO will last no greater than 18 months starting October 3, 2016.

Phase 2: Effective January 1, 2018, execute RMF Assessment and Authorization process through the DAAPM.

Everyone is encouraged to review DAAPM, templates and job aids below in preparation for the transitioning of Single User and Multi-User Standalones to RMF effective October 3, 2016.