Risk Management Framework (RMF)

Unified information security framework for the entire federal government

RMF is the new path that must be integrated into the acquisition life cycle to demonstrate and assure that cybersecurity risks are being managed throughout the project and not merely tacked on to the final steps prior to achieving Fully Operational Capability (FOC). Navigating the process requires constant documentation and vigilance. Once an ATO is awarded the project must continue to monitor and assess the system(s) to assure that any changes driven by upgrades of the system or network to not compromise nor inject new vulnerabilities.


DISA STIGs Compliance

Getting Your System on the GIG



Getting or keeping your information system on the Global Information Grid (GIG) is a task that requires an immense investment of time. Why? The Department of Defense requires information systems to map to more than 2,000 security controls and depending on whether your system integrates hardware and software you also have to navigate Defense Information Systems Agency (DISA) Security Technical Information Guides (STIGs) compliance. Doing so can tack hundreds if not thousands more checks for your team to validate.

We can help. The DS2 team includes experts that have successfully navigated the DIACAP process that is transitioning to the RMF process. We can augment your team and help map security controls as well as help you build the various artifacts required to submit an Assessment and Authorization (A&A) package required to secure an Authority to Operate (ATO) for your project.

Security Assessment Image


RMF Process Wheel

RMF Process Wheel

Getting Your System Authorized


Risk Assessment Word Jumble

RMF is an iterative process, similar to Edward Deming’s Plan, Do, Check, Act cycle. RMF features the following key sub processes:

  • Categorize system
  • Select security controls
  • Implement security controls
  • Assess security controls
  • Authorize system
  • Monitor security controls

Building A&A packages is tedious and time-consuming work that our analysts excel at; they can work with your Subject Matter Expert (SMEs) to tackle the documentation while your team focuses on the development and/or maintenance of your system. Give us a call to see how we can help you integrate RMF.