What are the differences between DIACAP and RMF?

Question

I am currently certifying systems (products) under DIACAP (DoD Information Assurance Certification and Accreditation Process). In the future we will need to use RMF (Risk Management Framework).

• What are the key differences between these two processes?
• What are the similarities (for instance they both use a POA&M)
• Is there a defined, documented transition from the older process to the newer? (Something with more meat than the slides at http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2012-10/ispab_oct2012_dcussatt_dod-rmf-transition-brief.pdf)
• Has the reciprocity aspect of RMF worked in practice, between different branches of the DoD and or services?

Answer 1

• Concept of Operations (CONOPS)
• Ports, Protocols, & Services Management (PPSM)
  • Hardware / Software list
  • Network diagram
• System Security Plan (SSP) / Application Security Plan (formerly DIP/SIP)
• Security Assessment Report (SAR) aka. Risk Assessment Report (RAR)
• Information Security Continuous Monitoring (ISCM) Plan
• Plan of Action and Milestones (POA&M)
• Configuration Management Plan (CMP)
• Configuration Control Board Charter (CCB)
• Incident Response Plan (IRP)
• Rules of Behavior (ROB) / Acceptable Use Policy (AUP)
• Systems Administration Manual (SAM)
• Continuity of Operations Plan (COOP) or Business Continuity Plan (BCP)
• Disaster Recovery Plan (DRP)
• Contingency Plan (CP)
• System Level Agreements (SLA), Memorandum of Agreements (MOA) or Memorandum of Understanding (MOU)

DIACAP to RMF artifact differences:

• SSP replaces System Identification Profile (SIP) and DIACAP Implementation Plan (DIP)
• SAR replaces Scorecard, Evaluation Risk Report (ERR)
• Security Control Assessor (SCA) replaces Validator or ACA
• Security Authorization Package (SAP) replaces DIACAP Package
• Information System Security Officer (ISSO) / Manager (ISSM) a replaces IAM / IAO