DEPARTMENT OF THE AIR FORCE - AF

1 BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION 17-101 2 FEBRUARY 2017 Cyberspace RISK MANAGEMENT FRAMEWORK (RMF) FOR AIR FORCE INFORMATION TECHNOLOGY (IT) COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available for downloading or ordering on the e-Publishing website at RELEASABILITY: There are no releasability restrictions on this publication. OPR: SAF/CIO A6ZC Supersedes: AFI33-210, 23 December 2008 Certified by: SAF/CIO A6Z (Peter E. Kim, AF CISO) Pages: 49 This Air FORCE Instruction (AFI) implements Air FORCE Policy Directive (AFPD) 17-1, Information Dominance Governance and Management, 12 April 2016, AFPD 33-3, Information Management, 8 September, 2011, DoDI , Risk Management Framework (RMF) for DoD Information Technology (IT), 12 March 2014, and associated processes outlined on the AF RMF Knowledge Service (KS), for managing the life-cycle cybersecurity risk to Air FORCE Information Technology (IT) consistent with the Federal Information Security Modernization Act (FISMA) of 2014, DoDI , Cybersecurity, 14 March 2014, and DoD Directive , Management of the DEPARTMENT of Defense Information Enterprise, 10 February 2009.

2 This instruction is consistent with Chairman Joint Chiefs of Staff Instruction (CJCSI) , Information Assurance (IA) and Support to Computer Network Defense (CND). Direct questions, comments, recommended changes, or conflicts to this publication through command channels using the AF Form 847, Recommendation for Change of Publication, to SAF/CIO A6. This publication applies to all military and civilian AF personnel, members of the AF Reserve Command (AFRC), Air National Guard (ANG), third-party governmental employee and contractor support personnel in accordance with appropriate provisions contained in memoranda support agreements and AF contracts. The authorities to waive requirements in this publication are identified with a Tier number (T-0, T-1, T-2, T-3) following the compliance statement. See AFI 33-360, Publications and Forms Management, Table for a description of the authorities associated with the Tier numbers.

3 Submit requests for waivers through the chain of command to the appropriate Tier waiver 2 AFI17-101 2 FEBRUARY 2017 approval authority, or alternately, to the Publication office of primary responsibility (OPR) for non-tiered compliance items. Send any supplements to this publication to SAF/CIO A6 for review, coordination, and approval prior to publication. Unless otherwise noted, the SAF/CIO A6 is the waiver authority to policies contained in this publication. Ensure all records created as a result of processes prescribed in this publication are maintained in accordance with (IAW) AFMAN 33-363, Management of Records, and disposed of IAW Air FORCE Records Disposition Schedule (RDS) located in the Air FORCE Records Information Management System (AFRIMS). SUMMARY OF CHANGES This document is substantially changed and must be reviewed in its entirety. This instruction reissues, renames, supersedes, and rescinds AFI 33-210, Air FORCE Certification and Accreditation Program, to AFI 17-101, Risk Management Framework for Air FORCE Information Technology.

4 This directive establishes the Risk Management Framework (RMF) for AF IT, establishes associated cybersecurity policy, and assigns responsibilities for executing and maintaining the RMF. The RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-cycle cybersecurity risk to AF IT. Chapter 1 PROGRAM OVERVIEW 5 5 Applicability.. 5 Figure Air FORCE IT Categories.. 6 Objectives.. 6 Chapter 2 ROLES AND RESPONSIBILITIES 7 Secretary of the Air FORCE , Office of Information Dominance and Chief Information Officer (SAF/CIO A6).. 7 Administrative Assistant to the Secretary of the Air FORCE (SAF/AA).. 7 Secretary of the Air FORCE for Acquisition (SAF/AQ).. 7 Deputy Chief of Staff, Intelligence, Surveillance, and Reconnaissance (AF/A2).. 8 Chief Information Security Officer (CISO), SAF/CIO A6Z.. 8 Authorizing Official (AO).. 9 Air FORCE Enterprise Authorizing Official (AF Enterprise AO).

5 10 AO Designated Representative (AODR).. 10 Security Control Assessor (SCA).. 10 Security Controls Assessor Representative (SCAR).. 11 AFI17-101 2 FEBRUARY 2017 3 Agent of the Security Controls Assessor (ASCA).. 11 Information System Owners (ISO).. 12 Program Manager (PM).. 13 Unit Communications Squadron Commander (CS/CC).. 14 Information System Security Manager (ISSM).. 14 Information System Security Officer (ISSO).. 15 Information Systems Security Engineer (ISSE).. 15 Information Owner (IO)/Steward.. 16 MAJCOM Cybersecurity Office or Function.. 16 User Representative (UR).. 16 Additional Responsibilities.. 17 Table AF RMF Appointment Matrix.. 17 Cybersecurity Forums.. 17 Chapter 3 RMF METHODOLOGY 19 Overview.. 19 Figure RMF for AF IT.. 19 RMF Step 1, CATEGORIZE System.. 19 RMF Step 2, SELECT Security Controls.. 21 RMF Step 3, IMPLEMENT Security Controls.. 22 RMF Step 4, ASSESS Security Controls.

6 22 RMF Step 5, AUTHORIZE System.. 22 Denial of Authorization to Operate (DATO).. 23 RMF Step 6, MONITOR Security Controls.. 23 Resources and Tools.. 24 Chapter 4 APPROVAL TO CONNECT (ATC) PROCESS 25 Overview.. 25 Duration and Expiration.. 25 Connection to the DoDIN.. 25 Connection to the Air FORCE Information Networks (AFIN).. 25 4 AFI17-101 2 FEBRUARY 2017 Guest System Registration.. 26 ATC Process for Air FORCE Functional/Mission Systems.. 26 Continuous Monitoring.. 26 Denial of Approval to Connect (DATC).. 26 Chapter 5 SECURITY CONTROL OVERLAYS 28 Overview.. 28 Policy.. 28 Development and Approval Process.. 28 Review and Coordinate Finalized Overlay.. 29 Coordinate with DISA to Implement Overlay in eMASS.. 29 Chapter 6 TRANSFER OF IT BETWEEN AUTHORIZING OFFICIALS 30 Overview.. 30 Transition Process.. 30 IT With No AO Assigned.. 30 Chapter 7 RMF TRANSITION 32 Overview.

7 32 Transition Timeline.. 32 RMF Deviation Requests.. 32 Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 33 Attachment 2 AF IT ASSESS ONLY REQUIREMENTS 40 Attachment 3 FINANCIAL IMPROVEMENT AND AUDIT READINESS (FIAR) IT CONTROLS GUIDANCE (OPR: AF/FM) 42 AFI17-101 2 FEBRUARY 2017 5 Chapter 1 PROGRAM OVERVIEW Purpose. This AFI provides implementation instructions for the Risk Management Framework (RMF) methodology for Air FORCE (AF) Information Technology (IT) according to AFPD 17-1, Information Dominance Governance and Management, and AFI 17-130, Air FORCE Cybersecurity Program Management, which is only one component of cybersecurity. The RMF incorporates strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation. The RMF aligns with SAF/CIO A6 s AF Information Dominance Flight Plan key concept of increasing cybersecurity of AF information systems; therefore, robust risk assessment and management is required.

8 The RMF process encompasses life cycle risk management to determine and manage the residual cybersecurity risk to the AF created by the vulnerabilities and threats associated with objectives in military, intelligence, and business operations. Effective implementation and resultant residual risk associated with security controls implementation is assessed and mitigated, aligns with DoDI , and as documented in the RMF security authorization package for AF IT. Discrete classes of systems ( , AF financial systems) are subject to additional requirements contained in Attachment 3 to this document. Guidance contained in Attachment 3 are intended to supplement, but not replace, the policy limits articulated in this Instruction. Applicability. This publication is binding on all military, civilian and contract employees, and other individuals or organizations as required by binding agreement or obligation with the DEPARTMENT of the Air FORCE , who develop, acquire, deliver, use, operate, support, or manage AF IT.

9 This publication applies to all networked or standalone IT used to receive, process, store, display, or transmit AF information (or Government information where the AF agreed to manage the information/infrastructure), as well as DoD partnered systems where it is agreed that DoD standards are followed. AF IT (see Figure ) includes but is not limited to: information systems (IS) (major applications and enclaves), platform information technology (PIT) (PIT systems, PIT subsystems, and PIT products), IT services (Internal & External), and IT products (software, hardware, and applications). This AFI does not apply to the protection of Sensitive Compartmented Information (SCI) systems or intelligence, surveillance, reconnaissance mission and mission support systems or higher authoritative guidance governing Special Access Program (SAP) systems. Authority for AF space systems rests with AF Space Command (AFSPC) as delegated by United States Strategic Command (USSTRATCOM).

10 AF space systems follow AF cybersecurity policy and processes; where exceptions exist, this Instruction is annotated accordingly. NOTE: Space systems supporting more than one DoD Component will follow 6 AFI17-101 2 FEBRUARY 2017 cybersecurity policy and guidance in DoDI , Information Assurance (IA) Policy for Space Systems Used by the DEPARTMENT of Defense. For IT not centrally managed or has yet to be assigned an Authorizing Official (AO), the unit responsible for ownership or operation of the IT shall assign duties for the minimum RMF relevant roles (see Table ) required to comply with RMF. The duties shall include the roles and responsibilities for reporting, oversight, and risk management to the AF. Figure Air FORCE IT Categories. Objectives. The RMF replaces the DIACAP and manages the life-cycle cybersecurity risk to AF IT. The RMF provides a disciplined and structured process to perform AF IT security and risk management activities and to integrate those activities into the system development life cycle.