logo


your one source for IT & AV

Training Presentation Systems Services & Consulting Cloud Services Purchase Client Center Computer Museum
Arrow Course Schedule | Classroom Rentals | Student Information | Free Seminars | Client Feedback | Partners | Survey | Standby Discounts

RMF - Federal Risk Management Framework Training

SS Course: 2001235

Course Overview

TOP

Risk Management Framework (RMF) is the unified information security framework for the entire federal government that is replacing the legacy Certification and Accreditation (C&A) processes within federal government departments and agencies, the Department of Defense (DOD) and the Intelligence Community (IC). DoD officially began its transition from the legacy DIACAP process to the new "RMF for DoD IT" process.

                                                                  

Scheduled Classes

TOP

What You'll Learn

TOP
  • RMF Introduction and Logistics
  • RMF Documentation
  • NIST 800-53 Security Controls
  • Security Control Assessment Methods

Outline

TOP
Viewing outline for:

Introduction

  • Key concepts including assurance, assessment, authorization
  • Reasons for change to the Risk Management Framework (RMF)
  • Key characteristics of security
  • Security controls

Cybersecurity Policy Regulations and Framework

  • Evolution and interaction of security laws, policy, and regulations in cybersecurity
  • Accessing the correct documents for cybersecurity guidance
  • Assessment and authorization transformation goals

RMF Roles and Responsibilities

  • Tasks and responsibilities for RMF roles

Risk Analysis Process

  • Four-step risk management process
  • Impact level
  • Level of risk
  • Effective risk management options

Step 1: Categorize

  • Key documents in the RMF process
  • Security Categorization
  • Information System Description
  • Lab 1: Categorize a fictitious DoD agency's information system

Step 2: Select

  • Common Control Identification
  • Security Control Selection
  • Tailor security controls
  • Monitoring strategy
  • Security Plan Approval
  • Lab 2: Select security controls for a fictitious DoD agency information system

Step 3: Implement

  • Security Control Implementation
  • Security Control Documentation
  • Lab 3: Discuss and review decisions related to implementation of security controls

Step 4: Assess

  • Assessment Preparation
  • Security Control Assessment
  • Security Assessment Report
  • Remediation Actions
  • Lab 4: Consult NIST SP 800-53A to determine appropriate assessment techniques for a fictitious DoD agency

Step 5: Authorize

  • Plan of Action and Milestones
  • Security Authorization Package
  • Risk Determination
  • Risk Acceptance
  • Lab 5: Practice compiling the documents that make up the Security Authorization Package

Step 6: Monitor

  • Information System and Environment Changes
  • Patches
  • Ongoing Security Control Assessments
  • Ongoing Remediation Actions
  • Key Updates
  • Security Status Reporting
  • Ongoing Risk Determination and Acceptance
  • Information System Removal and Decommissioning
  • Lab 6: Identify vulnerabilities and deficiencies in the information system of a fictitious DoD agency and propose steps to remediate

 

Risk Management Framework for DoD and the Intelligence Community

  • DoDI 8510.01
  • DFAR 252.204-7012
  • Security Control Structure
  • Evolution of Cybersecurity Policy
  • NIST: Computer Security Division
  • DoD Cybersecurity Policy Drivers
  • DIACAP to RMF
  • Transformation Goals
  • Control Selection
  • CNSSI-1258
  • RMF Integration with the SDLC
  • Important Federal Guidelines
  • DoD 8500 Cybersecurity Series
  • Roles and Responsibilities
  • Registering a DoD System
  • eMASS
  • Types of Authorizations
  • RMF Knowledge Service

Prerequisites

TOP

Before attending this course, students should have:

  • Knowledge and experience with information security systems and best practices
  • There are no requirements for this course

    Who Should Attend

    TOP

    This course is designed for system owners, administrators, developers, integrators, and information assurance staff who need to understand:

    • FISMA
    • RMF process (including Security Authorization or A&A)
    • NIST baseline security controls
    • Documentation package
    • Continuous monitoring process

    Next Step Courses

    TOP