RMF Procedures Overview: DoDI 8510.01 Training

RMF Procedures Overview: DoDI 8510.01 Training

Introduction:

RMF Procedures Overview: DoDI 8510.01 Training Course Hands-on

RMF Procedures Overview: DoDI 8510.01 training establishes the Risk Management Framework (RMF) for the Department of Defense (DoD) Information Technology (IT) for cybersecurity policies, responsibilities and risk management. RMF is a new replacement to DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the cybersecurity life cycle for DoD IT based on DoD, National Institute of Standards and Technology (NIST) and Committee on National Security Systems (CNSS) standards.

Customize It:

With onsite Training, courses can be scheduled on a date that is convenient for you, and because they can be scheduled at your location, you don’t incur travel costs and students won’t be away from home. Onsite classes can also be tailored to meet your needs. You might shorten a 5-day class into a 3-day class, or combine portions of several related courses into a single course, or have the instructor vary the emphasis of topics depending on your staff’s and site’s requirements.

Audience/Target Group

IT professionals in the DoD organizations
Airforce and Military Personnel in charge of cybersecurity
DoD employees and contractors or service providers
All DoD personnel in charge of information assurance
Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
Employees of federal agencies and the intelligence community
Assessors, assessment team members, auditors, inspectors or program managers of information technology area
Any individual looking for information assurance implementation for a company based on recent DoD and NIST policies
Information system owners, information owners, business owners, and information system security managers

RMF Procedures Overview, DoDI 8510.01 TrainingRelated Courses:

Duration: 2 days

Objectives:

Understand the necessity of transition from DIACAP to RMF and differentiate C&A with RMF
Learn about general standards used in RMF such as FISMA, NIST, and CNSS
Explain key roles and responsibilities of RMF such as CIO, AO, and ISO
Recognize different steps to risk management framework application
Explain how to categorize the DoD information system based on NIST SP 800-37 and DoDI 8510-01
Select security controls for DoD IT based on CNSSI 1253 and NIST SP 800-53
Implement the security control to DoD IT based on NIST SP 800-53 and NIST SP 800-70
Assess the security control based on security assessment method standards
Explain security authorization package and plan of action and milestones (POA&M)
Conduct continuous monitoring security plan based on NIST SP 800-137
Understand three tiered of risk management framework governance
Implement RMF for IS and PIT systems
Understand transitions of risk management framework

Course Content:

Security Authorization Process

Security Authorization Standards
NIST, FISMA, DIACAP and RMF
DoD: DoDI 8500.01 and DoDI 8510.01
CNSSP-42, CNSSI-1253, CNSS 4009
NIST Special Publications, NIST SP 800-37, NIST SP 800-39, NIST SP 800-53A, NIST SP 800-137 and NIST SP 800-160
Risk Management Framework Tools
eMASS and Information Assurance Support Environment (IASE)
Security Process and Concepts
Adequate Security and Risk based OMB
Security Objectives: Confidentiality, Integrity and Availability
Types of Risks
Privacy Rules: HIPAA and Personally Identifiable Information (PII)
Trust Relationship: Reciprocity and Documents
Risk Management
Risk Assessment: Qualitative and Quantitative

Responsibilities in Risk Management Framework

DoD IT
DoD Chief Information Officer (DoD CIO)
Director, Defense Information System Agency
Secretary of Defense for Acquisition Technology
DT&E
DOT&E
Chief Central Security Service
DoD Component Heads
Risk Executive
DoD Information Security Officer (SISO)
Authorizing Official (AO)
AO Designated Representative
Information Owner
Security Control Assessor
Information System Owner (ISO)
Information System Security Engineer

Procedures for Risk Management Framework

Categorizing the Information and Information Systems
Selecting Security Control
Implementing Security Control
Assessing Security Control
Authorizing the Information System
Monitoring Security Controls

RMF Step 1: Categorizing Information System

System Security Plan based on SP 800-18, SP 800-37
DoD IT Products, Services and PIT based on DoDI 8510-01
Categorization based on CNSSI-1253 and SP 800-53
Accreditation Boundaries based on SP 800-18
Interconnecting the Information System
Registration based on SP 800-53
Qualified Personned based on DoDD 8570-01 and DoDD 8140.01

RMF Step 2- Selecting Security Control

Types of Security Controls
CNSSI-1253, SP 800-53
Selecting Security Control based on CNSSI-1253 and FIPS-200
Compensating Controls-SP800-53
Trustworthiness and Assurance- SP 800-53
Monitoring Control Selection-SP 800-53
Monitored Control Selection-SP 800-37
Registration- DoDI 8510.01
Knowledge Services and eMASS

RMF Step 3: Implementing Security Control

Implementation of Security Control based on NIST SP 800-53
Documentation of Security Control based on SP800-18 and SP800-37
Security Control Tests and Checklist based on NIST SP 800-70 and eMASS
Security Content Automation Protocol (SCAP) based on SP800-115 and SP800-117

RMF Step 4: Assessing Security Control

Security Control Assessment Method based on SP-800-53 and SP 800-115
Vulnerability Assessing Tools, SP 800-53A and SP 800-115
Security Assessment Plan based on SP 700-37
Security Assessor Expertise based on DoDI 8510.01
Assessing Security Control, SP800-53A
Security Control Assessment, SP800-37

RMF Step 5: Authorizing Information System

Special DoD Systems, DoDI 8510.01
Plan of Action and Milestones (POA&M)
Security Authorization Package based on SP 800-37 and DoDI 8510.01
Authority to Operate (ATO)
Interim Authorization to Test (IATT)
Denial of Approval to Operate (DATO)
Special Authorizations: DoDI 8510.01
Platform Information Technology (PIT) Authorization

RMF Step 6: Monitoring Security Controls

Information Security Continuous Monitoring based on SP 800-137
Patch and Vulnerability Management
Cloud Computing, FedRAMP
DoD RMF Schedule, Status and Issues for DoDI 8510.01

Risk Management Framework Governance

Three Tiered Approach
Cybersecurity Risk Management based on NIST SP 800-39
Tier1: Organizations, DoD CIO/SISO, RM TAG&KS, DoD ISRMC
Tier 2: Mission/Business Processes, WMA, BMA, EIEMA, DIMA PAOs, DoD Component CIO/SISO
Tier 3: IS/PIT Systems, Authorization Official, System Cybersecurity Program
Traceability and Transparency of Risk-Based Decisions
Organization-Wide Risk Awareness
Strategic Risks
Tactical Risks
Feedback Loop for Continuous Improvements
Inter-Tier and Intra-Tier Communications
Risk Executive Function
DoD Cybersecurity Architecture
Knowledge Service (KS)

Risk Management of IS and PIT Systems

Applicability to IS and PIT Systems
Considerations for Special System Configurations
Cross Domain Solutions (CDS) for IS and PIT
Unified Capabilities (UC) for PIT and IS
Type Authorization
Stand-Alone IS and PIT Systems
Having another Entity Operating IS and PIT Systems
DoD Partnered System
OSD Systems
Authorization with a Single/Multiple AO
Authorization Approaches

Risk Management Framework Transition

RMF Initial Transition Timeline and Instructions
Transition from DIACAP to CNSSI 1253
Transition to NIST SP 800-53 and RMF

Hands On, Workshops, and Group Activities

Labs
Workshops
Group Activities

Sample Workshops and Labs for Cybersecurity Procedures Overview, DoDI 8500.01 Training

Categorizing the Information system Based on the Information Type using NIST SP 800-60
Determining the Security Category for Confidentiality, Availability, and Integrity of the System
Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
RMF Phase 3 Case Study, Resolving the Control Planning Issues
Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
Developing Plan of Action and Milestones (POA&M)
RMF Monitoring Phase; Assessing the Controls based on Schedule

Request More Information

Time Frame: 0-3 Months4-12 Months

Print Friendly, PDF & Email

No Comments Yet.

Leave a comment