NAVY IMPLEMENTATION OF DOD RISK MANAGEMENT FRAMEWORK:

UNCLASSIFIED//
ROUTINE
R 171650Z JUN 15
FM CNO WASHINGTON DC
TO NAVADMIN
INFO CNO WASHINGTON DC
BT
UNCLAS

NAVADMIN 140/15

MSGID/GENADMIN/CNO WASHINGTON DC/N2N6BC/JUN//

SUBJ/NAVY IMPLEMENTATION OF DOD RISK MANAGEMENT FRAMEWORK//

REF/A/DOC/DODI 8510.01/20140312//
REF/B/DOC/DODI 8500.01/20140314//
NARR/Reference (a) is Department of Defense Instruction 8510.01, Risk 
Management Framework for DoD Information Technology.  Reference (b) is 
Department of Defense Instruction 8500.01, Cybersecurity.//
POC/MS. BROOKE ZIMMERMAN/CIV/OPNAV N2N6/WASHINGTON DC/TEL:  (571) 256-
8521/EMAIL:  brooke.zimmerman@navy.mil//

RMKS/1.  Department of Defense (DoD) has released references (a) and (b), 
which outline new Assessment and Authorization (A&A) policies and processes 
and replace the DoD Information Assurance Certification and Accreditation 
Process (DIACAP) instruction.  Deputy Director Chief Information Officer 
(Navy) has released the following timeline for a phased Navy Risk Management 
Framework (RMF) transition.
    a.  The first RMF transition period is from 1 August 2015 through 31 
December 2016.  During the first RMF transition period, Echelon II commands 
are required to use the RMF process and artifacts for at least 33 percent of 
their information technology (IT) portfolio requiring a new 
accreditation/authorization or renewal of an expiring accreditation.  The 
approval durations for the first transition period are as follows:  The 
accreditation length for a DIACAP submission will be a maximum of two years 
and the authorization period for an RMF submission will be a maximum of three 
years.
    b.  The second RMF transition period is from 1 January 2016 through 30 
April 2016.  During the second RMF transition period, Echelon II commands are 
required to use the RMF process and artifacts for at least 50 percent of 
their IT portfolio requiring a new accreditation/authorization or renewal of 
an expiring accreditation.  The approval durations for the second transition 
period are as follows:  The accreditation length for a DIACAP submission will 
be an maximum of 1.5 years and the authorization period for a RMF submission 
will be for a maximum of three years.
    c.  The final RMF transition period is from 1 May 2016 through 30 
September 2016.  During the final RMF transition period, Echelon II commands 
are required to use the RMF process and artifacts for at least 75 percent of 
their IT portfolio requiring a new accreditation/authorization or renewal of 
an expiring accreditation.  The approval durations for the last transition 
period are as follows: the accreditation length for a DIACAP submission will 
be a maximum of 1.5 years and the authorization period for an RMF submission 
will be a maximum of three years.
    d.  All A&A submissions beginning 1 October 2016 will be under RMF.

2.  Current Platform Information Technology (PIT) systems with an expiring 
Interim/PIT Risk Assessment (I/PRA) will use the current DIACAP process for a 
short term I/PRA until phase II of the RMF implementation begins in June 
2016.  At that time, all current PIT will be reassessed and authorized under 
RMF.

3.  New non-conventional IT (e.g., weapons/control systems, internal 
communications systems, hull, mechanical, and electrical) submissions will 
not be accepted until phase II of the RMF implementation in June 2016.

4.  Further transition guidance for non-conventional IT after phase I will be 
provided by separate correspondence.

5.  Information on the RMF process and transition can be found on the RMF 
Knowledge Service (https://rmfks.osd.mil/login.htm) and the Federal 
Communications Commission Operational Designated Accrediting Authority 
(https://usff.portal.navy.mil/sites/fcc-c10f/odaa/default.aspx) websites.

6.  This NAVADMIN will remain in effect until cancelled or superseded.

7.  Released by VADM Ted N. Branch, OPNAV N2/N6.//

BT
#0001
NNNN
UNCLASSIFIED//