AFI17-101 RISK MANAGEMENT FRAMEWORK (RMF) FOR AIR FORCE INFORMATION TECHNOLOGY (IT)
View Original Document
MilReg AFI17-101 Frequently Asked Questions

What is AFI17-101 RMF for Air Force Information Technology (IT)?
AFI17-101 RMF is Air Force Regulation 17-101 that provides guidelines and procedures for managing risk within the Air Force IT systems, ensuring the confidentiality, integrity, and availability of information.

Why is risk management important for Air Force IT?
Risk management is crucial for Air Force IT as it helps identify potential threats and vulnerabilities, prioritize resources, and implement appropriate safeguards to protect sensitive information and critical infrastructure.

What does the Risk Management Framework (RMF) entail?
The RMF is a structured and consistent process used to manage risks associated with Air Force IT systems. It involves the identification, assessment, and mitigation of risks through the use of various controls and security measures.

Who is responsible for implementing the RMF within the Air Force?
The Air Force Chief Information Officer (AF CIO) is responsible for overseeing the implementation of the RMF, while the system owners and information system security managers play a vital role in executing the framework.

What steps are involved in the RMF process?
The RMF process consists of six steps: categorization, selection, implementation, assessment, authorization, and monitoring. These steps ensure that all risks are properly identified, evaluated, and controlled throughout the system's life cycle.

What is the purpose of categorization in the RMF process?
Categorization is the initial step of the RMF process, where the system is classified based on its impact level (low, moderate, or high) to determine the required security controls and the rigor of the assessment and authorization process.

How are security controls selected for Air Force IT systems?
Security controls are selected based on the system's categorization and the corresponding impact level. The controls are chosen from the applicable control families outlined in the DoD 8500 series and NIST Special Publication 800-53.

What is the role of the authorization official in the RMF process?
The authorization official is responsible for making an informed decision on whether to authorize the system to operate based on the risk assessment results and the effectiveness of the implemented security controls.

How often is monitoring conducted within the RMF?
Monitoring activities are ongoing throughout the system's life cycle, ensuring that the implemented security controls remain effective and any new risks or vulnerabilities are promptly addressed.

MilReg Top AirForce Regulations