Transcription of DEPARTMENT OF THE AIR FORCE - AF
1 BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION 17-101 2 FEBRUARY 2017 Cyberspace RISK MANAGEMENT FRAMEWORK (RMF) FOR AIR FORCE INFORMATION TECHNOLOGY (IT) COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available for downloading or ordering on the e-Publishing website at RELEASABILITY: There are no releasability restrictions on this publication. OPR: SAF/CIO A6ZC Supersedes: AFI33-210, 23 December 2008 Certified by: SAF/CIO A6Z (Peter E. Kim, AF CISO) Pages: 49 This Air FORCE Instruction (AFI) implements Air FORCE Policy Directive (AFPD) 17-1, Information Dominance Governance and Management, 12 April 2016, AFPD 33-3, Information Management, 8 September, 2011, DoDI , Risk Management Framework (RMF) for DoD Information Technology (IT), 12 March 2014, and associated processes outlined on the AF RMF Knowledge Service (KS), for managing the life-cycle cybersecurity risk to Air FORCE Information Technology (IT) consistent with the Federal Information Security Modernization Act (FISMA)
2 Of 2014, DoDI , Cybersecurity, 14 March 2014, and DoD Directive , Management of the DEPARTMENT of Defense Information Enterprise, 10 February 2009. This instruction is consistent with Chairman Joint Chiefs of Staff Instruction (CJCSI) , Information Assurance (IA) and Support to Computer Network Defense (CND). Direct questions, comments, recommended changes, or conflicts to this publication through command channels using the AF Form 847, Recommendation for Change of Publication, to SAF/CIO A6. This publication applies to all military and civilian AF personnel, members of the AF Reserve Command (AFRC), Air National Guard (ANG), third-party governmental employee and contractor support personnel in accordance with appropriate provisions contained in memoranda support agreements and AF contracts.
3 The authorities to waive requirements in this publication are identified with a Tier number (T-0, T-1, T-2, T-3) following the compliance statement. See AFI 33-360, Publications and Forms Management, Table for a description of the authorities associated with the Tier numbers. Submit requests for waivers through the chain of command to the appropriate Tier waiver 2 AFI17-101 2 FEBRUARY 2017 approval authority, or alternately, to the Publication office of primary responsibility (OPR) for non-tiered compliance items. Send any supplements to this publication to SAF/CIO A6 for review, coordination, and approval prior to publication.
4 Unless otherwise noted, the SAF/CIO A6 is the waiver authority to policies contained in this publication. Ensure all records created as a result of processes prescribed in this publication are maintained in accordance with (IAW) AFMAN 33-363, Management of Records, and disposed of IAW Air FORCE Records Disposition Schedule (RDS) located in the Air FORCE Records Information Management System (AFRIMS). SUMMARY OF CHANGES This document is substantially changed and must be reviewed in its entirety. This instruction reissues, renames, supersedes, and rescinds AFI 33-210, Air FORCE Certification and Accreditation Program, to AFI 17-101, Risk Management Framework for Air FORCE Information Technology.
5 This directive establishes the Risk Management Framework (RMF) for AF IT, establishes associated cybersecurity policy, and assigns responsibilities for executing and maintaining the RMF. The RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-cycle cybersecurity risk to AF IT. Chapter 1 PROGRAM OVERVIEW 5 5 Applicability.. 5 Figure Air FORCE IT Categories.. 6 Objectives.. 6 Chapter 2 ROLES AND RESPONSIBILITIES 7 Secretary of the Air FORCE , Office of Information Dominance and Chief Information Officer (SAF/CIO A6).
6 7 Administrative Assistant to the Secretary of the Air FORCE (SAF/AA).. 7 Secretary of the Air FORCE for Acquisition (SAF/AQ).. 7 Deputy Chief of Staff, Intelligence, Surveillance, and Reconnaissance (AF/A2).. 8 Chief Information Security Officer (CISO), SAF/CIO A6Z.. 8 Authorizing Official (AO).. 9 Air FORCE Enterprise Authorizing Official (AF Enterprise AO).. 10 AO Designated Representative (AODR).. 10 Security Control Assessor (SCA).. 10 Security Controls Assessor Representative (SCAR).. 11 AFI17-101 2 FEBRUARY 2017 3 Agent of the Security Controls Assessor (ASCA).. 11 Information System Owners (ISO).
7 12 Program Manager (PM).. 13 Unit Communications Squadron Commander (CS/CC).. 14 Information System Security Manager (ISSM).. 14 Information System Security Officer (ISSO).. 15 Information Systems Security Engineer (ISSE).. 15 Information Owner (IO)/Steward.. 16 MAJCOM Cybersecurity Office or Function.. 16 User Representative (UR).. 16 Additional Responsibilities.. 17 Table AF RMF Appointment Matrix.. 17 Cybersecurity Forums.. 17 Chapter 3 RMF METHODOLOGY 19 Overview.. 19 Figure RMF for AF IT.. 19 RMF Step 1, CATEGORIZE System.. 19 RMF Step 2, SELECT Security Controls.
8 21 RMF Step 3, IMPLEMENT Security Controls.. 22 RMF Step 4, ASSESS Security Controls.. 22 RMF Step 5, AUTHORIZE System.. 22 Denial of Authorization to Operate (DATO).. 23 RMF Step 6, MONITOR Security Controls.. 23 Resources and Tools.. 24 Chapter 4 APPROVAL TO CONNECT (ATC) PROCESS 25 Overview.. 25 Duration and Expiration.. 25 Connection to the DoDIN.. 25 Connection to the Air FORCE Information Networks (AFIN).. 25 4 AFI17-101 2 FEBRUARY 2017 Guest System Registration.. 26 ATC Process for Air FORCE Functional/Mission Systems.. 26 Continuous Monitoring.. 26 Denial of Approval to Connect (DATC).
9 26 Chapter 5 SECURITY CONTROL OVERLAYS 28 Overview.. 28 Policy.. 28 Development and Approval Process.. 28 Review and Coordinate Finalized Overlay.. 29 Coordinate with DISA to Implement Overlay in eMASS.. 29 Chapter 6 TRANSFER OF IT BETWEEN AUTHORIZING OFFICIALS 30 Overview.. 30 Transition Process.. 30 IT With No AO Assigned.. 30 Chapter 7 RMF TRANSITION 32 Overview.. 32 Transition Timeline.. 32 RMF Deviation Requests.. 32 Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 33 Attachment 2 AF IT ASSESS ONLY REQUIREMENTS 40 Attachment 3 FINANCIAL IMPROVEMENT AND AUDIT READINESS (FIAR) IT CONTROLS GUIDANCE (OPR: AF/FM) 42 AFI17-101 2 FEBRUARY 2017 5 Chapter 1 PROGRAM OVERVIEW Purpose.
10 This AFI provides implementation instructions for the Risk Management Framework (RMF) methodology for Air FORCE (AF) Information Technology (IT) according to AFPD 17-1, Information Dominance Governance and Management, and AFI 17-130, Air FORCE Cybersecurity Program Management, which is only one component of cybersecurity. The RMF incorporates strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation. The RMF aligns with SAF/CIO A6 s AF Information Dominance Flight Plan key concept of increasing cybersecurity of AF information systems; therefore, robust risk assessment and management is required.
