Introduction to Risk Management Framework (RMF) Training

Introduction to Risk Management Framework Training (RMF) Course with Hands-on Exercises (Online, Onsite and Classroom Live)

This Introduction to Risk Management Framework (RMF) Training course introduces the Risk Management Framework (RMF) and Cybersecurity policies for the Department of Defense (DoD). The Introduction to Risk Management Framework Training (RMF) course will address the current state of Cybersecurity within DoD and the appropriate transition timelines. In addition, it identifies the six steps of the RMF and highlights the key factors to each step.

Introduction to Risk Management Framework (RMF) TrainingDuration: 2 days

  • We can adapt this Introduction to Risk Management Framework (RMF) Training course to your group’s background and work requirements at little to no added cost.
  • If you are familiar with some aspects of this Introduction to Risk Management Framework (RMF) Training course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the Introduction to Risk Management Framework (RMF) Training Course around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Introduction to Risk Management Framework (RMF) Training course in manner understandable to lay audiences.

The target audience for this Introduction to Risk Management Framework (RMF) course:

  • IT professionals in the area of cybersecurity
  • DoD employees and contractors or service providers
  • Government personnel working in cybersecurity area
  • Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
  • Employees of federal agencies and the intelligence community
  • Assessors, assessment team members, auditors, inspectors or program managers of information technology area
  • Any individual looking for information assurance implementation for a company based on recent policies
  • Information system owners, information owners, business owners, and information system security managers

The knowledge and skills that a learner must have before attending this Introduction to Risk Management Framework (RMF) course are:

  • N/A
Introduction to Risk Management Framework (RMF) Training - OBJECTIVES

Upon completing this Developing on AWS course, learners will be able to meet these objectives:

  • Understand the risk management framework and risk management and assessment for information technology systems
  • Apply cost-effective security controls based on risk and best practices on assessment and analysis
  • Understand the RMF/FISMA/NIST processes for authorizing federal IT systems and authorization process
  • Explain RMF step by step procedures
  • Differentiate the traditional certification and accreditation (C&A) with RMF
  • Understand different key roles in RMF with their responsibilities
  • Recognize recent publications of NIST and FISMA regarding RMF and select, implement, and assess security controls
  • Apply the step by step RMF procedure to real world application, and ways to monitor security controls
  • Tackle the problems of RMF in each phase of procedure
Introduction to Risk Management Framework (RMF) Training - COURSE SYLLABUS

Information Security and Risk Management Framework (RMF) Foundation

  • Purpose of RMF
  • Components of Risk Management
  • Importance of Risk Management
  • Risk Management for Organizations
  • Risk Management for Business processes
  • Risk Management for Information System
  • Concept of Trust and Trustworthiness in Risk Management
  • Organizational Culture
  • Key Risk Concepts and their Relationship
  • Framing Risks
  • Assessing Risk
  • Risk Assessment Steps
  • Responding to Risk
  • Mitigating Risks
  • Monitoring the Risk
  • Risk Management Process Tasks
  • Risk Response Strategies

RMF Laws, Regulations and Guidance

  • Office of Management and Budget (OMB) Laws
  • National Institute of Standards and Technology (NIST) Publications
  • Committee and National Security Systems (CNSS)
  • Office of the Director National Intelligence (ODNI)
  • Department of Defense (DoD)
  • Privacy Act of 1974 (Updated in 2004)
  • Transmittal Memorandum, OMB A-130
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Financial Service Modernization
  • OMB M-00-13
  • Critical Infrastructure Protection
  • Federal Information Security Management (FISM)
  • HSPD 7
  • Policy on Information Assurance Risk Management for National Security Systems (CNSSP)
  • Security Categorization and Control Selection for National Security Systems (CNSSI)

Introduction to FISMA

  • FIMSA Compliance Overview
  • FIMSA Trickles into the Private Sector
  • FIMSA Compliance Methodologies
  • DoD RMF
  • ICD 503 and DCID 6/3
  • Understanding the FISMA Compliance Process
  • Stablishing FIMSA Compliance Program
  • Preparing the Hardware and Software Inventory
  • Categorizing Data Sensitivity
  • Addressing Security Awareness and Training
  • Addressing Rules of Behavior
  • Developing an Incident Response Plan
  • Conducting Privacy Impact Assessment
  • Preparing Business Impact Analysis
  • Developing the Contingency Plan
  • Developing a Configuration Management Plan
  • Preparing the System Security Plan
  • Performing the Business Risk Assessment
  • Security Testing and Security Packaging
  • FISMA for Clouds

New Requirements under FISMA 2015

  • Continuous Diagnostics and Mitigation (CDM) Program
  • FISMA Metrics
  • Federal Government Programs Designed to Combat Growing Threats
  • Cybersecurity 2015 Cross Agency Priority (CAP) Goal
  • Formalized Process for Proactive Scans of Public Facing Agency Networks
  • DHS US-CERT Incident Notification Guidelines
  • Information Security Program Oversight Requirements
  • Privacy Management Guidance
  • Mobile Devices
  • Security Incident Reporting
  • Protection of Agency Information
  • Ongoing Authorization

Risk Management Framework Steps

  • Categorizing
  • Selection
  • Implementation
  • Assessing
  • Authorizing
  • Monitoring

System Development Life Cycle (SDLC)

  • Initiation
  • Development/Acquisition
  • Implementation/Assessment
  • Operation and Maintenance
  • Disposal

Transition from C&A to RMF

  • Certification and Accreditation (C&A) Process
  • C&A Phases
  • Initiation
  • Certification
  • Accreditation
  • Monitoring
  • RMF, a High Level View
  • Transition and Differences
  • Key Roles to Implement the RMF

Expansion of the RMF

  • Implementation of the RMF in the Intelligence Community
  • Implementation of the RMF in DoD
  • Implementation of the RMF in the Private Sector
  • Future Updates to the RMF Process
  • Using the RMF with Other Control Sets
  • FedRAMP
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry (PCI)
  • Other Standards used with RMF

Security Control Assessment Requirements

  • NIST SP 800-53A Assessment Methods
  • Security Control Baseline Categorization
  • CNSSI 1253 Baseline Categorization
  • New Controls Planned in Recent Revision
  • FedRAMP Controls
  • SP 800-53 Security Controls to HIPAA Security Rule
  • PCI DSS Standards

RMF for IT

  • IT and RMF Process
  • Enterprise-wide IT Governance authorization of IT Systems and Services
  • Risk Based Approach Instead of Check Lists
  • DT&E and OT&E Integration
  • RMF Embedded in Acquisition Lifecycle
  • Continuous Monitoring and Timely Correction of Deficiencies
  • Automated Tools
  • Cybersecurity Implementation via Security controls
  • Reciprocity Application

Optional Modules and Activities:

Hands On, Workshops and Group Activities

  • Labs
  • Workshops
  • Group Activities

Workshops and Labs for Introduction to RMF Training

  • Categorizing the Information system Based on the Information Type using NIST SP 8-060
  • Determining the Security Category for Confidentiality, Availability, and Integrity of the System
  • Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
  • RMF Phase 3 Case Study, Resolving the Control Planning Issues
  • Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
  • Developing Plan of Action and Milestones (POA&M)
  • RMF Monitoring Phase; Assessing the Controls based on Schedule
Key Standards And Guidelines
  • FIPS Publication 1(Security Categorization)
  • FIPS Publication 200 (Minimum Security Controls)
  • NIST Special Publication 800-18 (Security Planning)
  • NIST Special Publication 800-30 (Risk Assessment)
  • NIST Special Publication 800-37 (System Risk Management Framework)
  • NIST Special Publication 800-3 (Enterprise-Wide Risk Management)
  • NIST Special Publication 800-53 (Recommended Security Controls)
  • NIST Special Publication 800-53A (Security Control Assessment)
  • NIST Special Publication 800-5 (National Security Systems)
  • NIST Special Publication 800-60 (Security Category Mapping)

FIPS and NIST Special Publications (PUBS)

  • General Information
  • FIPS Changes and Announcements
  • FIPS Standards
  • FIPS PUB 140-2; Security Requirements for Cryptographic Modules
  • FIPS PUB 180-4; Secure Hash Standard (SHS)
  • FIPS PUB 186-4; Digital Signature Standard (DSS)
  • FIPS PUB 197; Advanced Encryption Standard (AES)
  • FIPS PUB 198-1; Keyed Hash Message Authorization code (HMAC)
  • FIPS PUB 199; Standards for Security Categorization of Federal Information and Information Systems
  • FIPS PUB 200; Minimum Security Requirements for Federal Information and Information systems
  • FIPS PUB 201-2; Personal Identity Verification (PIV)
  • FIPS PUB 202; SHA-3 Standard

Creating RMF Roles and Responsibilities

  • Agency Head
  • Risk Executive
  • Chief Information Officer (CIO)
  • Chief Information Security Officer(CISO)
  • Senior Information Security Officer (SISO)
  • Authorizing Official (AO)
  • Delegated Authorizing Official (DAO)
  • Security control Assessor
  • Common Control Provider (CCP)
  • Information Owner
  • Mission/Business Owner (MBO)
  • Information System Owner
  • Information System Security Engineer (ISSE)
  • Information System Security Manager (ISSM)
  • Information System Security Officer (ISSO)
  • Risk Analyst
  • Executive Management
  • User Representatives
  • Information security Architect
  • Security control Assessor
  • Computer Incident Response (CIR) Team
Introduction to Risk Management Framework (RMF) Training Course Wrap-Up

Whether you are looking for general information or have a specific question, we want to help.
Request More Information

    Time frame: