scope:

Purpose.

This AFI provides implementation instructions for the implementation of the Risk Management Framework (RMF) methodology for Air Force (AF) Information Technology (IT) in accordance with AFPD 17-1, and AFI 17-130, Air Force Cybersecurity Program Management.

The RMF incorporates strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation.

The RMF aligns with Secretary of the Air Force/ Deputy Chief Information Officer (SAF/CN) strategic goals and objectives key concept of cybersecurity that works which requires robust risk assessment and management.

The RMF process encompasses life cycle risk management to determine and manage the residual cybersecurity risk to the AF created by the vulnerabilities and threats associated with objectives in military, intelligence, and business operations.

Privacy and security controls are implemented based on the assessed and mitigated residual risk. The controls align with Department of Defense Instruction (DoDI) 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) and are documented in the RMF security authorization package for AF IT.