RMF Training | Introduction to Risk Management Framework Training

RMF Training | Introduction to Risk Management Framework Training


RMF Training | Introduction to Risk Management Framework Training Course by Example

RMF Training | Introduction to Risk Management Framework Training offered by EnoEnterprises. Learn about DoD Information Technology in-depth DoD RMF basics. EnoEnterprises offers a series of Risk Management Framework (RMF) for DoD Information Technology in-depth DoD RMF basics.

RMF Training | Introduction to Risk Management Framework Training training teaches you the concepts and principles of risk management framework (RMF) which is a replacement to the traditional cybersecurity risk management framework methodology, DIACAP.

Customize It:

With onsite Training, courses can be scheduled on a date that is convenient for you, and because they can be scheduled at your location, you don’t incur travel costs and students won’t be away from home. Onsite classes can also be tailored to meet your needs. You might shorten a 5-day class into a 3-day class, or combine portions of several related courses into a single course, or have the instructor vary the emphasis of topics depending on your staff’s and site’s requirements.

Audience/Target Group

IT professionals in the area of cybersecurity
DoD employees and contractors or service providers
Government personnel working in cybersecurity area
Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
Employees of federal agencies and the intelligence community
Assessors, assessment team members, auditors, inspectors or program managers of information technology area
Any individual looking for information assurance implementation for a company based on recent policies
Information system owners, information owners, business owners, and information system security managers

RMF Training | Introduction to Risk Management Framework TrainingRelated Courses:

Duration: 2 days


Understand the risk management framework and risk management and assessment for information technology systems
Apply cost-effective security controls based on risk and best practices on assessment and analysis
Understand the RMF/FISMA/NIST processes for authorizing federal IT systems and authorization process
Explain RMF step by step procedures
Differentiate the traditional certification and accreditation (C&A) with RMF
Understand different key roles in RMF with their responsibilities
Recognize recent publications of NIST and FISMA regarding RMF and select, implement, and assess security controls
Apply the step by step RMF procedure to real world application, and ways to monitor security controls
Tackle the problems of RMF in each phase of procedure

Course Content:

Information Security and Risk Management Framework (RMF) Foundation

Purpose of RMF
Components of Risk Management
Importance of Risk Management
Risk Management for Organizations
Risk Management for Business processes
Risk Management for Information System
Concept of Trust and Trustworthiness in Risk Management
Organizational Culture
Key Risk Concepts and their Relationship
Framing Risks
Assessing Risk
Risk Assessment Steps
Responding to Risk
Mitigating Risks
Monitoring the Risk
Risk Management Process Tasks
Risk Response Strategies

RMF Laws, Regulations and Guidance

Office of Management and Budget (OMB) Laws
National Institute of Standards and Technology (NIST) Publications
Committee and National Security Systems (CNSS)
Office of the Director National Intelligence (ODNI)
Department of Defense (DoD)
Privacy Act of 1974 (Updated in 2004)
Transmittal Memorandum, OMB A-130
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Financial Service Modernization
OMB M-00-13
Critical Infrastructure Protection
Federal Information Security Management (FISM)
Policy on Information Assurance Risk Management for National Security Systems (CNSSP)
Security Categorization and Control Selection for National Security Systems (CNSSI)

Introduction to FISMA

FIMSA Compliance Overview
FIMSA Trickles into the Private Sector
FIMSA Compliance Methodologies
ICD 503 and DCID 6/3
Understanding the FISMA Compliance Process
Stablishing FIMSA Compliance Program
Preparing the Hardware and Software Inventory
Categorizing Data Sensitivity
Addressing Security Awareness and Training
Addressing Rules of Behavior
Developing an Incident Response Plan
Conducting Privacy Impact Assessment
Preparing Business Impact Analysis
Developing the Contingency Plan
Developing a Configuration Management Plan
Preparing the System Security Plan
Performing the Business Risk Assessment
Security Testing and Security Packaging
FISMA for Clouds

New Requirements under FISMA 2015

Continuous Diagnostics and Mitigation (CDM) Program
FISMA Metrics
Federal Government Programs Designed to Combat Growing Threats
Cybersecurity 2015 Cross Agency Priority (CAP) Goal
Formalized Process for Proactive Scans of Public Facing Agency Networks
DHS US-CERT Incident Notification Guidelines
Information Security Program Oversight Requirements
Privacy Management Guidance
Mobile Devices
Security Incident Reporting
Protection of Agency Information
Ongoing Authorization

FIPS and NIST Special Publications (PUBS)

General Information
FIPS Changes and Announcements
FIPS Standards
FIPS PUB 140-2; Security Requirements for Cryptographic Modules
FIPS PUB 180-4; Secure Hash Standard (SHS)
FIPS PUB 186-4; Digital Signature Standard (DSS)
FIPS PUB 197; Advanced Encryption Standard (AES)
FIPS PUB 198-1; Keyed Hash Message Authorization code (HMAC)
FIPS PUB 199; Standards for Security Categorization of Federal Information and Information Systems
FIPS PUB 200; Minimum Security Requirements for Federal Information and Information systems
FIPS PUB 201-2; Personal Identity Verification (PIV)
FIPS PUB 202; SHA-3 Standard

RMF Roles and Responsibilities

Agency Head
Risk Executive
Chief Information Officer (CIO)
Chief Information Security Officer(CISO)
Senior Information Security Officer (SISO)
Authorizing Official (AO)
Delegated Authorizing Official (DAO)
Security control Assessor
Common Control Provider (CCP)
Information Owner
Mission/Business Owner (MBO)
Information System Owner
Information System Security Engineer (ISSE)
Information System Security Manager (ISSM)
Information System Security Officer (ISSO)
Risk Analyst
Executive Management
User Representatives
Information security Architect
Security control Assessor
Computer Incident Response (CIR) Team

Risk Management Framework Steps


System Development Life Cycle (SDLC)

Operation and Maintenance

Transition from C&A to RMF

Certification and Accreditation (C&A) Process
C&A Phases
RMF, a High Level View
Transition and Differences
Key Roles to Implement the RMF

Expansion of the RMF

Implementation of the RMF in the Intelligence Community
Implementation of the RMF in DoD
Implementation of the RMF in the Private Sector
Future Updates to the RMF Process
Using the RMF with Other Control Sets
The Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry (PCI)
Other Standards used with RMF

Security control Assessment Requirements

NIST SP 800-53A Assessment Methods
Security Control Baseline Categorization
CNSSI 1253 Baseline Categorization
New Controls Planned in Recent Revision
FedRAMP Controls
SP 800-53 Security Controls to HIPAA Security Rule
PCI DSS Standards

RMF for IT

IT and RMF Process
Enterprise-wide IT Governance authorization of IT Systems and Services
Risk Based Approach Instead of Check Lists
DT&E and OT&E Integration
RMF Embedded in Acquisition Lifecycle
Continuous Monitoring and Timely Correction of Deficiencies
Automated Tools
Cybersecurity Implementation via Security controls
Reciprocity Application

Hands On, Workshops and Group Activities

Group Activities

Sample Workshops and Labs for Introduction to RMF Training

Categorizing the Information system Based on the Information Type using NIST SP 8-060
Determining the Security Category for Confidentiality, Availability, and Integrity of the System
Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
RMF Phase 3 Case Study, Resolving the Control Planning Issues
Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
Developing Plan of Action and Milestones (POA&M)
RMF Monitoring Phase; Assessing the Controls based on Schedule

Key Standards and Guidelines

FIPS Publication 1(Security Categorization)
FIPS Publication 200 (Minimum Security Controls)
NIST Special Publication 800-18 (Security Planning)
NIST Special Publication 800-30 (Risk Assessment)
NIST Special Publication 800-37 (System Risk Management Framework)
NIST Special Publication 800-3(Enterprise-Wide Risk Management)
NIST Special Publication 800-53 (Recommended Security Controls)
NIST Special Publication 800-53A (Security Control Assessment)
NIST Special Publication 800-5(National Security Systems)
NIST Special Publication 800-60 (Security Category Mapping)

Request More Information

    Time Frame: 0-3 Months4-12 Months

    Print Friendly, PDF & Email