Which option correctly identifies a DoD framework used for risk management of information systems and programs?

• A. NIST Risk Management Framework (RMF) for federal information systems.
• B. ITIL Service Management.
• C. COBIT framework for IT governance.
• D. DoD Risk Management Framework (RMF) for information systems and programs.

Answer: (D)

The key idea here is that the Department of Defense uses a dedicated risk management framework tailored for its information systems and programs. This DoD Risk Management Framework provides a structured, lifecycle-based approach to identify, assess, and manage security risks within DoD systems, aligning with the standard RMF steps but with DoD-specific tailoring. It guides categorizing the system, selecting and tailoring security controls (often from NIST SP 800-53), implementing, assessing, authorizing, and continuously monitoring those controls.

This framework is distinct from the NIST RMF used across federal agencies, which applies more broadly outside DoD. It’s also separate from ITIL, which focuses on service management, and COBIT, which centers on IT governance. So for a DoD context, the DoD RMF for information systems and programs is the correct framework.