Hi Russell. Please see my comments below. I didn’t hit the reply button, so you may not have seen them.

As of about two weeks ago, the new link is:

https://rmfks.osd.mil/

We’ll update it in the body of the blog. Thank you so much for bringing this to our attention.

As far as I know, https://diacap.iaportal.navy.mil/ should be working. It may be under repair. I will investigate and get back to you on this post.

You are correct that the process is highly subjective, but this is in fact a good thing. Because of the huge number of systems in the Federal ecosystem, there is no one size that all systems can fit in. It’s up to the system owners to categorize their systems’ confidentiality, integrity and availability requirements based on loose high level guidance (FIPS-199). The idea is that no one knows their requirements better than the owner/user/admins. But there are still management controls built in:

1- The FIPS-199 broad security categorization process is only one piece of the puzzle. The system owner’s decisions are still validated by the AO (DAA) and control assessors (auditors).

2-For DOD and Intelligence systems, the broad categorization process (FIPS-199) and its related controls (NIST SP 800-53) is too loose. In that case, National Security Systems (NSS), which basically comprise of almost all DOD and IC systems, use the CNSSI 1253 guidance and controls for much more granular and stringent decision-making guidance.

Hope this helps! 🙂

I’ll get back to you on the link.

Article states: “RMF will adopt a new system using the actual CIA objectives. Under this mechanism, each of the three objectives is rated High (H), Moderate (M) or Low (L) for each system. So one system may be rated as {C:L; I:M; A:M} while another maybe rated as {C:H; I:H, A:L} and so on.” Won’t this still be a subjective process? And unless very specifc criteria between H/M/L are established (like the do for the ratings for technical elements in a contract selection panel), the ratings among organizations (Defense vs. Civil Agencies, Army vs. Navy, Intel vs combat operations), etc., the categorization will still be skewed.

A DoD issued Common Access Card, provides access to a complete mapping in the DIACAP Knowledge Service* (CAC required) under the C&A Transformation section.

The link referenced by the asterisk does not work. Has it been replace by an RMF portal? If not, where does the DIACAP to RMF mapping exist on the net?