Email this Article Email   

CHIPS Articles: DCNO for Information Warfare Issues Risk Management Framework Standard Operating Procedures

DCNO for Information Warfare Issues Risk Management Framework Standard Operating Procedures
By Vice Adm. Jeffrey E. Trussler, Deputy Chief of Naval Operations for Information Warfare, OPNAV N2N6 - March 17, 2021
NAVADMIN 062/21 releases the Risk Management Framework (RMF) Standard Operating Procedures (SOPs) in alignment with reference (a) Department of Navy Deputy Command Information Officer (Navy) (DDCIO(N)) RMF Process Guide V3.2 for RMF Step 2,RMF Step 4, and RMF Step 5 and is applicable to all U.S Navy systems under Navy Authorizing Official (NAO) and Functional Authorizing Official (FAO) authorities.

To standardize, streamline, automate reviews, and improve quality of products used for the RMF review process, Deputy Chief of Naval Operations (DCNO) N2N6, in coordination with key Navy Subject Matter Experts (SME), developed a series of SOPs aligned with reference (a) to be used by the Navy RMF community, specifically each Package Submitting Office (PSO) and Security Control Assessor (SCA). These SOPs provide a centralized and consolidated source of requirements that RMF practitioners and their respective RMF projects and packages must meet to achieve an AO authorization.

The SOPs are comprised of a list of requirements, recommended standard language for feedback to the practitioner, and references for each item. Completed SOPs must be fed through the comment generator within the automation tool eMASSter. This will create a standardized report that captures any findings and provides comments to the program. If the report shows no findings, it must still be provided as part of the package as it moves to the next step in the review process. Packages submitted without this SOP report will not be processed in the next step of review.

A two-hour training session on how to utilize the SOPs will be offered to the Echelon II PSOs weekly for four weeks after the release of this message. Initial training sessions will be organized and hosted by the Office of the Chief of Naval Operations (OPNAV) N2N6D6 after the release of this message. Training will continue to be offered quarterly to train new personnel. Training resources will also be available on the RMF portal at the link shown below.

SOP change requests shall be submitted to the SOP inbox: don_rmf_sops.fct@navy.mil. These requests will follow an approved Configuration Control Board (CCB) process with FAO, NAO, and SCA representation under the cognizance of OPNAV N2N6D6. This board will meet approximately every six weeks to review requested changes or on an as needed basis for urgent requests. Changes and/or additions to the SOPs outside of this process are not authorized. RMF package reviewers shall allow a 45-day grace period after the release of a new SOP for packages already under review.

Effective 45 days after the release of this message, every PSO must require use of the Step 2 and Step 5 SOPs prior to submitting an RMF package for decision.

Effective 45 days after the release of this message, the SCA and Functional Security Control Assessor (FSCA) or their appointed liaisons must use the Step4 SOP prior to approving a Security Assessment Plan (SAP) and/or signing a Security Assessment Report (SAR).

The SOPs and eMASSter tool are located at: https://portal.secnav.navy.mil /orgs/OPNAV/N2N6/DDCION/N2N6BC4/RMF/Shared%20Documents/Forms/AllItems.aspx and will be maintained on this site.

POC: MEGAN CANE/GS14/N2N6D6/megan.cane@navy.mil

This NAVADMIN updates reference (a) and will remain in effect until cancelled or superseded.

Download NAVADMIN 062/21 here

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer