DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle

A vital aspect of maintaining U.S. technological superiority and military readiness is ensuring cybersecurity of our information technology systems, weapon systems, and networks.
Program Managers must assume that the system they field, including their external interfaces, will be under cyber attack. By implementing the practices in the referenced guidebook,
programs will be able to more effectively plan, design, develop, test, manufacture, and sustain systems that are more resilient in the face of cyber warfare conducted by a capable adversary.
To be cost-effective, cybersecurity must be addressed early within acquisition and be thoughtfully integrated with systems engineering, test and evaluation, and other acquisition processes throughout the system lifecycle.

The referenced guidebook has been developed to aid acquisition Program Managers and their teams in effectively applying the cybersecurity risk management framework (RMF) to design, build, and test systems addressing cybersecurity capability requirements to operate in a cyber-contested environment. The guidebook explains key concepts and activities for successful implementation of RMF activities and aligns them with all phases of the Department of Defense acquisition lifecycle, including development, operational testing, fielding, and sustainment. The guidebook describes in detail the cybersecurity-related roles and responsibilities, as well as the development and maturation of cybersecurity artifacts and activities. Information, such as system security engineering guidance, sample language for consideration in requests for proposal and contracts, and the cybersecurity risk assessment process, is also presented to assist Program
Managers.

The guidebook, will be updated as lessons learned are identified to ensure that the cybersecurity guidance remains timely, relevant, and actionable.