diarmf - implement

DIARMFdiarmf - authorizediarmf - continuous monitoringdiarmf - implementdiarmf - selectdiarmf assessDIARMF Process

risk management framework steps


The risk management framework steps are detailed in NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.

The DoD has recently adopted the Risk Management Framework steps (called the DIARMF process).  There are 6 step: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor.

risk management framework steps
risk management framework steps

risk management framework – Step 1. Categorize

The first risk management framework step is categorization.  This step consists of classifying the importance of the information system.   This is done by the system owner with FIPS 199 and NIST 800-60.

Categorization is based on how much negative impact the organization will receive if the information system lost is confidentiality, integrity or availability.


risk management framework – Step 2. Select

With FIPS 200 and NIST SP 800-53, the organization responsible for the systems security will select the security controls required to limit the risk to their organization.  The selection of the controls is based on the categorization of your system.  A system security plan is created as a guide to what will be installed and/or configured on the system.

More on DIARMF – Select

risk management framework – Step 3. Implement

Using the System Security Plan, the organization responsible for the categorized system can begin risk management framework step 3.  This step is implementation which is installation and configuration of security patches, hotfixes and security devices where necessary.   Guidance for actual implantation has to come from technical manuals, system administrators, system engineers and others technically competent enough to do the work.

More on DIARMF – Implement

risk management framework – Step 4. Assess

The organization has to make sure that the security controls are implemented properly.  This is done in risk management step 4, assess.  Using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations  is used to determine which controls have been fully implemented to limit the risks to the organization.

More on DIARMF – Assess

risk management framework – Step 5. Authorize

Even after implementation and assessment of the security controls that limits the over all risk to the organization, there is some remaining (residual) risk.  The organization must have someone who has enough authority of over the system to accept the residual risk.  This person is known as the Authorizing Official.

In risk management framework step 5, an Authorizing Official makes a formal, written acceptance of the risks.  The AO makes a decision on whether or not to accept the risk based on the authorization package.  The authorization package consists of the system security plan, plan of action and milestone, security/risk assessment report and any other supporting documents.


More on DIARMF – Authorization

risk management framework – Step 6. Continuous Monitoring

After acceptance of risk by the organization, they must develop a program that monitors the ongoing changes to the systems security posture.   They take a proactive approach to watching for advanced persistent threats, configuration changes and new vulnerabilities. Risk management framework step 6 handles all of this. 

More on DIARMF – Continuous Monitoring

read more
diarmf - implement

DIARMF Implement


DIARMF Implement

What you will learn:

  • Overview of Step 3, Implementation
  • Where to go for technical help on implementation

In Step 3 of the DIARMF, the organization implements the security controls specified in the security plan.  Implementation relies heavily on the Security Plan documented Step 2, Selecting the security controls.  

Who Does the DIARMF Implementation?


Although the primary responsibility of implementation is in the hands of the Information System Owner or Common Control Provider it is delegated to a system administrator, information system security officer and/or system engineer.

Whatever their title, the most important thing is that they know HOW to do it and perhaps have experience doing it.  The organization usually is bound by regulations to only select qualified technicians to do the work.  US Department of Defense (DoD) Directive 8570.1-M, Information Assurance Training, Certification, and Workforce Management, is the policy that the DoD uses to determine what is “qualified”.  This policy identifies specific certification & training that IT professionals need to be considered to do certain work.  

Realistically, a certification is a poor substitute for real world experience, but most seasoned employers that know about their companies needs recognize this.  


How is DIARMF Implementation done and When?

The Managers (information assurance managers, systems/program managers) are the key to getting things done.  And for managers, the most important parts of implementation are planning and resources.  An organization needs these managed well to be successful.

Resources:  resources are qualified personal to do the work, funding to keep the work going, material/software/hardware to get the job done.  These resources need to be managed appropriately.  One of the hardest parts of a managers job is making sure there are enough resources to get the work done.  

Timeframe & Planning:  planning and planning of limited resources is a must!  Assuming there is a requirement for the work to be done, not much can be done efficiently without a plan.  Managers (information assurance managers, systems/program managers) main job is to get the most effective use out of resources provided.

Managers are the center piece to getting the job done.  Without good management, its very hard for the system administrators, information system security officers, technicians and engineers to do their jobs.  Because they must either take the time to manage themselves which takes away from doing the work by attending back to back meetings with higher ups, completed documentation that has nothing to do with the project and make critical decisions that are outside the scope of their job.  All of this puts them and the project itself at risk.

A good manager runs interference for his team, provides the team with all the tools they need to be successful and make realistic milestones that are tracked diligently from start to finish of the project.

A bad manager is self-serving, lazy and goes out of their way to sabotage the project by being an asshole.  They so mistrust by absorbing all the credit for good work and deflect all the blame for bad work.  They are mostly ignorant of what is going on.  They make everyones life harder by breathing.

DIARMF Documentation & Implementation

Its important to document what security controls are implemented.  This helps continuity especially since some security controls break functionality but also it helps with DIARMF Assessment since part of DIARMF Assessment.

DOD Resources for DIARMF Implementation

Where you will have to go for guidance on certain technical security controls are actual vendor documentation, online knowledge databases, technical manuals, and even actual support technicians on specific products if necessary.  Other places that are helpful are:

read more
1 8 9 10
Page 10 of 10