As the DoD Information Assurance Certification and Accreditation Process (DIACAP) begins to make its curtain call from a defense compliance standpoint, a new process emerges and takes its place, the Risk Management Framework (RMF). How will this new process work? And more importantly, what does this mean for the way you do business? In most organizations, governance, risk, and compliance (GRC) are the pillars that ensure a business is capable of performing to meet its objectives. The national defense information security realm is no different. In the Department of Defense (DoD), cybersecurity governance is handled through various instructions, directives, and manuals. In the past, compliance was met through adherence to these rules, and validated using DIACAP. The RMF introduces a method to incorporate all three areas. It uses an established methodology through its special publication series, and incorporates DoD guidance within its 800-53 Revision 4 control set. These publications also provide information on Managing Information Security Risk (800-39) and a Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans (800-53 A) to ensure compliance to the DoD and National Institute of Standards and Technology (NIST) standards. DIACAP offered a control set to measure against, but fell short in its implementation and risk assessment guidance.