Course Overview
TOPRisk Management Framework (RMF) is the unified information security framework for the entire federal government that is replacing the legacy Certification and Accreditation (C&A) processes within federal government departments and agencies, the Department of Defense (DOD) and the Intelligence Community (IC). DoD officially began its transition from the legacy DIACAP process to the new "RMF for DoD IT" process.
Scheduled Classes
TOPWhat You'll Learn
TOP- RMF Introduction and Logistics
- RMF Documentation
- NIST 800-53 Security Controls
- Security Control Assessment Methods
Outline
TOP
Viewing outline for:
Introduction
- Key concepts including assurance, assessment, authorization
- Reasons for change to the Risk Management Framework (RMF)
- Key characteristics of security
- Security controls
Cybersecurity Policy Regulations and Framework
- Evolution and interaction of security laws, policy, and regulations in cybersecurity
- Accessing the correct documents for cybersecurity guidance
- Assessment and authorization transformation goals
RMF Roles and Responsibilities
- Tasks and responsibilities for RMF roles
Risk Analysis Process
- Four-step risk management process
- Impact level
- Level of risk
- Effective risk management options
Step 1: Categorize
- Key documents in the RMF process
- Security Categorization
- Information System Description
- Lab 1: Categorize a fictitious DoD agency's information system
Step 2: Select
- Common Control Identification
- Security Control Selection
- Tailor security controls
- Monitoring strategy
- Security Plan Approval
- Lab 2: Select security controls for a fictitious DoD agency information system
Step 3: Implement
- Security Control Implementation
- Security Control Documentation
- Lab 3: Discuss and review decisions related to implementation of security controls
Step 4: Assess
- Assessment Preparation
- Security Control Assessment
- Security Assessment Report
- Remediation Actions
- Lab 4: Consult NIST SP 800-53A to determine appropriate assessment techniques for a fictitious DoD agency
Step 5: Authorize
- Plan of Action and Milestones
- Security Authorization Package
- Risk Determination
- Risk Acceptance
- Lab 5: Practice compiling the documents that make up the Security Authorization Package
Step 6: Monitor
- Information System and Environment Changes
- Patches
- Ongoing Security Control Assessments
- Ongoing Remediation Actions
- Key Updates
- Security Status Reporting
- Ongoing Risk Determination and Acceptance
- Information System Removal and Decommissioning
- Lab 6: Identify vulnerabilities and deficiencies in the information system of a fictitious DoD agency and propose steps to remediate
Risk Management Framework for DoD and the Intelligence Community
- DoDI 8510.01
- DFAR 252.204-7012
- Security Control Structure
- Evolution of Cybersecurity Policy
- NIST: Computer Security Division
- DoD Cybersecurity Policy Drivers
- DIACAP to RMF
- Transformation Goals
- Control Selection
- CNSSI-1258
- RMF Integration with the SDLC
- Important Federal Guidelines
- DoD 8500 Cybersecurity Series
- Roles and Responsibilities
- Registering a DoD System
- eMASS
- Types of Authorizations
- RMF Knowledge Service
Prerequisites
TOPBefore attending this course, students should have:
- Knowledge and experience with information security systems and best practices
- There are no requirements for this course
Who Should Attend
TOPThis course is designed for system owners, administrators, developers, integrators, and information assurance staff who need to understand:
- FISMA
- RMF process (including Security Authorization or A&A)
- NIST baseline security controls
- Documentation package
- Continuous monitoring process