I am currently certifying systems (products) under DIACAP (DoD Information Assurance Certification and Accreditation Process). In the future we will need to use RMF (Risk Management Framework).
- What are the key differences between these two processes?
- What are the similarities (for instance they both use a POA&M)
- Is there a defined, documented transition from the older process to the newer? (Something with more meat than the slides at http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2012-10/ispab_oct2012_dcussatt_dod-rmf-transition-brief.pdf)
- Has the reciprocity aspect of RMF worked in practice, between different branches of the DoD and or services?