{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T22:50:23Z","timestamp":1768517423823,"version":"3.49.0"},"reference-count":58,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2023,10,12]],"date-time":"2023-10-12T00:00:00Z","timestamp":1697068800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100005073","name":"Agency for Defense Development Institute","doi-asserted-by":"publisher","award":["9129156"],"award-info":[{"award-number":["9129156"]}],"id":[{"id":"10.13039\/501100005073","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>As the world undergoes rapid digitalization, individuals and objects are becoming more extensively connected through the advancement of Internet networks. This phenomenon has been observed in governmental and military domains as well, accompanied by a rise in cyber threats consequently. The United States (U.S.), in response to this, has been strongly urging its allies to adhere to the RMF standard to bolster the security of primary defense systems. An agreement has been signed between the Republic of Korea and the U.S. to collaboratively operate major defense systems and cooperate on cyber threats. However, the methodologies and tools required for RMF implementation have not yet been fully provided to several allied countries, including the Republic of Korea, causing difficulties in its implementation. In this study, the U.S. RMF process was applied to a specific system of the Republic of Korea Ministry of National Defense, and the outcomes were analyzed. Emphasis was placed on the initial two stages of the RMF: \u2018system categorization\u2019 and \u2018security control selection\u2019, presenting actual application cases. Additionally, a detailed description of the methodology used by the Republic of Korea Ministry of National Defense for RMF implementation in defense systems is provided, introducing a keyword-based overlay application methodology. An introduction to the K-RMF Baseline, Overlay, and Tailoring Tool is also given. The methodologies and tools presented are expected to serve as valuable references for ally countries, including the U.S., in effectively implementing the RMF. It is anticipated that the results of this research will contribute to enhancing cyber security and threat management among allies.<\/jats:p>","DOI":"10.3390\/info14100561","type":"journal-article","created":{"date-parts":[[2023,10,12]],"date-time":"2023-10-12T12:46:13Z","timestamp":1697114773000},"page":"561","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Exploring Effective Approaches to the Risk Management Framework (RMF) in the Republic of Korea: A Study"],"prefix":"10.3390","volume":"14","author":[{"given":"Giseok","family":"Jeong","sequence":"first","affiliation":[{"name":"Maritime Guided Weapon Program Team, Defense Acquisition Program Administration, Gwacheon 13809, Republic of Korea"},{"name":"Department of Computer Engineering, Sejong University, Seoul 05006, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9094-4053","authenticated-orcid":false,"given":"Kookjin","family":"Kim","sequence":"additional","affiliation":[{"name":"Cyber Warfare Research Institute, Sejong University, Seoul 05006, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sukjoon","family":"Yoon","sequence":"additional","affiliation":[{"name":"Cyber Warfare Research Institute, Sejong University, Seoul 05006, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2665-3339","authenticated-orcid":false,"given":"Dongkyoo","family":"Shin","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Sejong University, Seoul 05006, Republic of Korea"},{"name":"Cyber Warfare Research Institute, Sejong University, Seoul 05006, Republic of Korea"},{"name":"Department of Convergence Engineering for Intelligent Drones, Sejong University, Seoul 05006, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jiwon","family":"Kang","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Sejong University, Seoul 05006, Republic of Korea"},{"name":"Cyber Warfare Research Institute, Sejong University, Seoul 05006, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2023,10,12]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"287","DOI":"10.1007\/s10207-020-00503-w","article-title":"Cyber security in new space: Analysis of threats, key enabling technologies and challenges","volume":"20","author":"Manulis","year":"2021","journal-title":"Int. J. Inf. Secur."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1080\/13523260.2019.1678855","article-title":"Cyber security meets security politics: Complex technology, fragmented politics, and networked science","volume":"41","author":"Wenger","year":"2020","journal-title":"Contemp. Secur. Policy"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"8176","DOI":"10.1016\/j.egyr.2021.08.126","article-title":"A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments","volume":"7","author":"Li","year":"2021","journal-title":"Energy Rep."},{"key":"ref_4","first-page":"37","article-title":"Risk management framework for information systems and organizations","volume":"800","author":"Force","year":"2018","journal-title":"NIST Spec. Publ."},{"key":"ref_5","unstructured":"Sherman, J.B. (2022). DoD Instruction 8510.01 Risk Management Framework for DoD Systems."},{"key":"ref_6","unstructured":"Gorman, C.N. (2016). DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued from August 1, 2015 through July 31, 2016 (REDACTED)."},{"key":"ref_7","unstructured":"Odell, L.A., DePuy, C.E., Fauntleroy, J.C., Rabren, T.C., and Seitz-McLeese, M.G. (2017). Recommendations for Improving Agility in Risk Management for Urgent and Emerging Capability Acquisit\u2014Ns\u2014Quick Look Report, JSTOR."},{"key":"ref_8","unstructured":"Commanders, C., Defense, U., and Defense, A. (2003). Subject: DoD Information System Certification and Accreditation Reciprocity."},{"key":"ref_9","unstructured":"Landree, E., Gonzales, D., Ohlandt, C., and Wong, C. (2010). Implications of Aggregated DoD Information Systems for Information Assurance Certification and Accreditation, RAND."},{"key":"ref_10","first-page":"34","article-title":"Cybersecurity: Defending the new battlefield","volume":"42","author":"Hutchison","year":"2013","journal-title":"Def. AT&L"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"88","DOI":"10.1109\/MC.2007.284","article-title":"Managing enterprise security risk with NIST standards","volume":"40","author":"Ross","year":"2007","journal-title":"Computer"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Combass, T., and Shilling, A. (2016, January 12\u201315). Integrating cybersecurity into NAVAIR OTPS acquisition. Proceedings of the 2016 IEEE AUTOTESTCON, Anaheim, CA, USA.","DOI":"10.1109\/AUTEST.2016.7589632"},{"key":"ref_13","unstructured":"Teresa, M.T. (2014). DoDI 8500.01 Cybersecurity."},{"key":"ref_14","unstructured":"Joint Task Force Transformation Initiative (2011). SP 800-39. Managing Information Security Risk: Organization, Mission, and Information System View."},{"key":"ref_15","unstructured":"Ross, R. (2010). NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems."},{"key":"ref_16","unstructured":"Committee on National Security Systems (2021). IA Risk Management Policy for NSS."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Stoneburner, G., Goguen, A., and Feringa, A. (2001). NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.","DOI":"10.6028\/NIST.SP.800-30"},{"key":"ref_18","unstructured":"NIST (2003). NIST SP 800-53, Recommended Security Controls for Federal Information Systems."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Ross, R., Johnson, A., Katzke, S., Toth, P., Stoneburner, G., and Rogers, G. (2008). Nist Special Publication 800-53a: Guide for Assessing the Security Controls in Federal Information Systems, Tech. Rep.","DOI":"10.6028\/NIST.SP.800-53a"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Dempsey, K., Chawla, N.S., Johnson, A., Johnston, R., Jones, A.C., Orebaugh, A., Scholl, M., and Stine, K. (2011). Nist Special Publication 800-137: Information Security Continuous Monitoring (iscm) for Federal Information Systems and Organizations, Tech. Rep.","DOI":"10.6028\/NIST.SP.800-137"},{"key":"ref_21","unstructured":"Stine, K., Rich, K., Barker, C., Fahlsing, J., and Gulick, J. (2008). NIST SP. 800-60 Rev 1, Guide for Mapping Types of Information and Information Systems to Security Categories."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Ross, R., McEvilley, M., and Winstead, M. (2022). NIST SP 800-160 Volume 1 Revision 1 Engineering Trustworthy Secure Systems Initial Public Draft.","DOI":"10.6028\/NIST.SP.800-160v1r1"},{"key":"ref_23","unstructured":"Committee on National Security Systems (2022). Categorization Baselines NSS Assignment Values."},{"key":"ref_24","unstructured":"Committee on National Security Systems (2010). CNSS Instruction 4009."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"3913","DOI":"10.1109\/TEM.2021.3088382","article-title":"A cloud-based computing framework for artificial intelligence innovation in support of multidomain operations","volume":"69","author":"Robertson","year":"2021","journal-title":"IEEE Trans. Eng. Manag."},{"key":"ref_26","unstructured":"(2023, August 28). Explore Our Products. Available online: https:\/\/www.aws.com."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Kim, I., Kim, S., Kim, H., and Shin, D. (2022). Mission-Based Cybersecurity Test and Evaluation of Weapon Systems in Association with Risk Management Framework. Symmetry, 14.","DOI":"10.3390\/sym14112361"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Pearson, J., and Oni, O. (2023). Addressing cybersecurity and safety disconnects in United States army aviation: An exploratory qualitative case study. Secur. J., 1\u201317.","DOI":"10.1057\/s41284-023-00372-7"},{"key":"ref_29","unstructured":"Zhang, H., Luo , L., Li, R., Yi, J., Li, Y., and Chen, L. (2022, January 11\u201313). Research and application of intelligent vehicle cybersecurity threat model. Proceedings of the 2022 7th IEEE International Conference on Data Science in Cyberspace (DSC), Guilin, China."},{"key":"ref_30","unstructured":"Wynn, J., Whitmore, J., Upton, G., Spriggs, L., McKinnon, D., McInnes, R., and Clausen, L. (2011). Threat Assessment & Remediation Analysis (TARA) (No. MTR110176), MITRE."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"1661","DOI":"10.1109\/TEMC.2017.2707471","article-title":"5G over-the-air measurement challenges: Overview","volume":"59","author":"Qi","year":"2017","journal-title":"IEEE Trans. Electromagn. Compat."},{"key":"ref_32","unstructured":"Chhawri, S., Tarnutzer, S., Tasky, T., and Lane, G.R. (2017, January 8\u201310). Smart Vehicles, Automotive Cyber Security & Software Safety Applied to Leader-Follower (LF) and Autonomous Convoy Operations. Proceedings of the Ground Vehicle Systems Engineering and Technology Symposium (GVSETS), Novi, MI, USA."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Thangavelu, S., Janczewski, L., Peko, G., and Sundaram, D. (2020, January 16\u201318). A Dynamic Security-dedicated Approach to Commercial Drone Vulnerabilities, Threat Vectors and Their Mitigation. Proceedings of the 2020 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA.","DOI":"10.1109\/CSCI51800.2020.00196"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Jiang, L., Shao, L., Qiu, Y., and Zhou, L. (2021, January 3\u20135). A Risk Management Model for Power Industry based on Impact Analysis. Proceedings of the 2021 2nd International Conference on Big Data Economy and Information Management (BDEIM), Sanya, China.","DOI":"10.1109\/BDEIM55082.2021.00039"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Miranda, A.W., and Goldsmith, S. (2017, January 23\u201326). Cyber-physical risk management for PV photovoltaic plants. Proceedings of the 2017 International Carnahan Conference on Security Technology (ICCST), Madrid, Spain.","DOI":"10.1109\/CCST.2017.8167813"},{"key":"ref_36","unstructured":"de Peralta, F., Gorton, A., Watson, M., Bays, R., Boles, J., Castleberry, J., Gorton, B., and Powers, F. (2020). Framework for Identifying Cybersecurity Vulnerability and Determining Risk for Marine Renewable Energy Systems."},{"key":"ref_37","unstructured":"Radoglou-Grammatikis, P., Liatifis, A., Dalamagkas, C., Lekidis, A., Voulgaridis, K., Lagkas, T., Fotos, N., Menesidou, S.-A., Krousarlis, T., and Alcazar, P.R. (September, January 29). ELECTRON: An Architectural Framework for Securing the Smart Electrical Grid with Federated Detection, Dynamic Risk Assessment and Self-Healing. Proceedings of the 18th International Conference on Availability, Reliability and Security, Benevento, Italy."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Liatifis, A., Alcazar, P.R., Grammatikis, P.R., Papamartzivanos, D., Menesidou, S., Krousarlis, T., Alberto, M.M., Angulo, I., Sarigiannidis, A., and Lagkas, T. (July, January 27). Dynamic Risk Assessment and Certification in the Power Grid: A Collaborative Approach. Proceedings of the 2022 IEEE 8th International Conference on Network Softwarization (NetSoft), Milan, Italy.","DOI":"10.1109\/NetSoft54395.2022.9844034"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Udroiu, A.-M., Dumitrache, M., and Sandu, I. (July, January 30). Improving the cybersecurity of medical systems by applying the NIST framework. Proceedings of the 2022 14th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), Ploiesti, Romania.","DOI":"10.1109\/ECAI54874.2022.9847498"},{"key":"ref_40","unstructured":"Alliance, H. (2019). HITRUST CSF, HITRUST."},{"key":"ref_41","unstructured":"Reddy, G.N., and Reddy, G. (2014). A study of cyber security challenges and its emerging trends on latest technologies. arXiv."},{"key":"ref_42","unstructured":"Ursillo, S., and Arnold, C. (2019). Cybersecurity Is Critical for All Organizations\u2013Large and Small, International Federation of Accountants."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1080\/23742917.2016.1252211","article-title":"Review of cybersecurity issues in industrial critical infrastructure: Manufacturing in perspective","volume":"1","author":"Ani","year":"2017","journal-title":"J. Cyber Secur. Technol."},{"key":"ref_44","unstructured":"Van Devender, M.S. (2023). Risk Assessment Framework for Evaluation of Cybersecurity Threats and Vulnerabilities in Medical Devices. [Ph.D. Thesis, University of South Alabama]."},{"key":"ref_45","unstructured":"Miller, J.C. (2019). Security Assessment of Cloud-Based Healthcare Applications. [Master\u2019s Thesis, Milligan University]."},{"key":"ref_46","unstructured":"Bodie, M.T. (2022). HIPPA, Saint Louis University School of Law, Saint Louis University. Cardozo L. Rev. De-Novo."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/j.compind.2018.08.002","article-title":"Future developments in cyber risk assessment for the internet of things","volume":"102","author":"Radanliev","year":"2018","journal-title":"Comput. Ind."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Li, K., Shi, R., Yan, J., Cai, C., Sun, M., and Li, J. (2020, January 17\u201322). A RMF and AHP-Based Approach to Risk Assessment of Power Internet of Things. Proceedings of the 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC\/PiCom\/CBDCom\/CyberSciTech), Calgary, AB, Canada.","DOI":"10.1109\/DASC-PICom-CBDCom-CyberSciTech49142.2020.00117"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Brandon, A., Seekins, M., Joshua, B.V., Samuel, C., and Haller, J. (2019, January 10\u201312). Network data analysis to support risk management in an IoT environment. Proceedings of the 2019 IEEE 10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), New York, NY, USA.","DOI":"10.1109\/UEMCON47517.2019.8993030"},{"key":"ref_50","unstructured":"Warren, K., and Sabetto, R. (2018). FedRAMP: A Practical Approach, MITRE Corporation."},{"key":"ref_51","unstructured":"McLaughlin, M. (2020). Reforming FedRAMP: A Guide to Improving the Federal Procurement and Risk Management of Cloud Services, Information Technology and Innovation Foundation."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"McGillivray, K. (2021). Government Cloud Procurement, Cambridge University Press.","DOI":"10.1017\/9781108942485"},{"key":"ref_53","unstructured":"United States Government Accountability Office, and Wilshusen, G.C. (2019). Cloud Computing Security: Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed: Report to Congressional Requesters."},{"key":"ref_54","unstructured":"Green, S. (2020). An Evaluation of Two Host-Based Vulnerability Scanning Tools. [Ph.D. Thesis, Utica College]."},{"key":"ref_55","first-page":"20","article-title":"Building an EERM Toolkit","volume":"66","author":"Kinsella","year":"2019","journal-title":"Risk Manag."},{"key":"ref_56","doi-asserted-by":"crossref","unstructured":"Koo, J., Kim, Y.-G., and Lee, S.-H. (2019, January 28\u201330). Security requirements for cloud-based C4I security architecture. Proceedings of the 2019 International Conference on Platform Technology and Service (PlatCon), Jeju, Republic of Korea.","DOI":"10.1109\/PlatCon.2019.8668963"},{"key":"ref_57","unstructured":"Kent, S. (2019). Federal Cloud Computing Strategy."},{"key":"ref_58","first-page":"35","article-title":"Cybersecurity Architecture for the Cloud: Protecting Network in a Virtual Environment","volume":"4","author":"Mughal","year":"2021","journal-title":"Int. J. Intell. Autom. Comput."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/14\/10\/561\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T21:05:26Z","timestamp":1760130326000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/14\/10\/561"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,12]]},"references-count":58,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2023,10]]}},"alternative-id":["info14100561"],"URL":"https:\/\/doi.org\/10.3390\/info14100561","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,10,12]]}}}