Department of Defense
INSTRUCTION
NUMBER 8510.01
March 12, 2014
Incorporating Change 2, July 28, 2017
DoD CIO
SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT)
References: See Enclosure 1
1. PURPOSE. This instruction:
a. Reissues and renames DoD Instruction (DoDI) 8510.01 (Reference (a)) in accordance
with the authority in DoD Directive (DoDD) 5144.02 (Reference (b)).
b. Implements References (c) through (f) by establishing the RMF for DoD IT (referred to in
this instruction as “the RMF”), establishing associated cybersecurity policy, and assigning
responsibilities for executing and maintaining the RMF. The RMF replaces the DoD
Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-
cycle cybersecurity risk to DoD IT in accordance with References (g) through (k).
c. Redesignates the DIACAP Technical Advisory Group (TAG) as the RMF TAG.
d. Directs visibility of authorization documentation and reuse of artifacts between and
among DoD Components deploying and receiving DoD IT.
e. Provides procedural guidance for the reciprocal acceptance of authorization decisions and
artifacts within DoD, and between DoD and other federal agencies, for the authorization and
connection of information systems (ISs).
2. APPLICABILITY
a. This instruction applies to:
(1) OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of
Staff (CJCS) and the Joint Staff, the Combatant Commands, the Office of the Inspector General
of the Department of Defense (OIG DoD), the Defense Agencies, the DoD Field Activities, and