What is the difference between defense-in-depth and single-layer security in RMF?

Defense-in-depth means protecting a system by layering multiple, overlapping controls across different domains—technical measures, physical protections, and administrative processes—so that no single failure or bypass leaves the system exposed. In RMF, this approach is used to reduce overall risk by making security protections work together: even if one control is breached, others continue to provide protection, lowering both the chance of a compromise and the potential impact. Relying on a single-layer defense, by contrast, puts everything on one control; if that control fails or is circumvented, there’s nothing else to stop or detect an intrusion. The idea isn’t just about having more protections, but about ensuring they complement each other across layers, so safeguards in one area compensate for weaknesses in another.