scope:

Purpose.

This AFI provides implementation instructions for the Risk Management Framework (RMF) methodology for Air Force (AF) Information Technology (IT) according to AFPD 17-1, Information Dominance Governance and Management, and AFI 17-130, Air Force Cybersecurity Program Management, which is only one component of cybersecurity. 

The RMF incorporates strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation.

The RMF aligns with SAF/CIO A6's AF Information Dominance Flight Plan key concept of increasing cybersecurity of AF information systems; therefore, robust risk assessment and management is required.

The RMF process encompasses life cycle risk management to determine and manage the residual cybersecurity risk to the AF created by the vulnerabilities and threats associated with objectives in military, intelligence, and business operations.

Effective implementation and resultant residual risk associated with security controls implementation is assessed and mitigated, aligns with DoDI 8510.01, and as documented in the RMF security authorization package for AF IT.

Discrete classes of systems (i.e., AF financial systems) are subject to additional requirements contained in Attachment 3 to this document. Guidance contained in Attachment 3 are intended to supplement, but not replace, the policy limits articulated in this Instruction.