Department of Defense Information Assurance Risk Management Framework (DIARMF) will replace the DoD’s DIACAP process. As of Mar 2011 it is still being developed. The former DoD Information Assurance Certification & Accreditation Process (DIACAP) will undergo the same change as the NIST SP 800-37, C&A guide did when it changed to the rev 1, Guide for Applying Risk Management Framework. Some of the changes from DIACAP to DIARMF will consist of:
NIST SP 800-53 controls
Change focus from C&A to Risk Management
Definition of how to bridge between DoD systems and NIST defined system (subsystems & Platform IT for example)
DIARMF will look more like NIST 800-37 rev 1
It is unknown how DIARMF authorization packages will look. Currently, the DIACAP consist of DIACAP packages (DIP, SIP, scorecard, POA&M with artifacts) and NIST 800-37 rev 1 consists of a Security Authorization Package (System Security Plan, Security Assessment Report & POA&M). Also, the roles between the NIST Risk Management Framework and the DoD 8500 series are different. So far, the DON CIO and ASD (NII) have come up with mapping between the roles and the 800-53 controls.
The DIARMF will hopefully cover all of the gaps between the DoD C&A process and the new NIST 800-37, Risk Management Framework.