Risk Management Framework Training: RMF for DoD IT

RMF Training Duration:

4 days


Employees of federal, state and local governments; and businesses working with the government.

Who should attend this RMF Course?

Our RMF training program is appropriate for DoD employees and contractors, as well as their supporting vendors and service providers. Managers and others who wish to gain high-level knowledge of RMF should attend RMF for DoD IT – Fundamentals (one day). Those who wish to gain detailed implementation knowledge of RMF and NIST Security Controls should attend both RMF for DoD IT – Fundamentals and RMF for DoD IT – In Depth (total of four days).

Course Outline

RMF for DoD IT – Fundamentals (Day One)

The first day of this course provides an overview of information security and risk management and proceeds to a high-level view of RMF for DoD IT. Discussion is centered on RMF for DoD IT policies, roles and responsibilities, along with key publications from the National institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS). The class includes high-level discussion of the RMF for DoD IT “life cycle”, including security authorization (aka. certification and accreditation), along with the RMF documentation package and NIST security controls.

  • Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
  • Introduction to RMF
  • Roles and Responsibilities
  • RMF Life Cycle: Categorize, Select, Implement, Assess, Authorize, Monitor
  • RMF Documentation
  • Security Controls and Assessment Procedures
  • RMF and DIACAP
  • RMF Resources

RMF for DoD IT – In-Depth (Days Two through Four)

The remaining days of this course expand on the topics above at a level of detail that enables practitioners to immediately apply the training to their daily work. Each student will gain an in depth knowledge of the relevant DoD, NIST and CNSS publications along with the practical guidance needed to implement them in the work environment. Each life cycle activity in the DoD Instruction 8510.01 (RMF for DoD IT) is covered in detail, as is each component of the corresponding documentation package. NIST Special Publication (SP) 800-53 Security Controls, along with corresponding assessment procedures, are covered in detail, as are CNSS Instruction 1253 “enhancements”. Specific attention is paid to the process of transition from DIACAP to RMF, as well as the application of the eMASS tool to various aspects of the RMF life cycle.

Class participation exercises and collaboration reinforce key concepts.

  • Step 1: Categorize
    • Categorize the System
    • Describe the System and Boundary
    • Conduct a Basic Risk Assessment
    • Register the System
  • Step 2: Select
    • RMF Security Control Overview
    • Analyze Security Controls
    • Select the Control Baseline
    • Tailor the Control Baseline
    • Planning for Continuous Monitoring
  • Step 3: Implement
    • Implement Control Solutions
    • Document Security Control Implementation
    • STIGs and Automated Tools
  • Step 4: Assess
    • Identify Security Control Assessment Team
    • Prepare for the Security Assessment
    • Security Control Assessment Procedures
  • Step 5: Authorize
    • Types of Authorizations
    • Authorization Decisions
    • Security Authorization Package
    • Documentation
  • Step 6: Monitor
    • ISCM Strategy Considerations
    • Automated Tools
    • System Decommissioning and Removal
    • Project Planning
    • Preparing for Success
    • System Acquisition
    • Knowledge Service

RMF publications covered in this training program include: DoDI 8500.01, 8510.01; CNSSI 1253, FIPS 199, 200; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.

There are also various exercises and case studies throughout the duration of the training.  Information on DIACAP-to-RMF transition and application of eMASS are included throughout these instructional units.

Class Activity Highlights

  • Informal Risk Assessment
  • Propose a Boundary
  • Categorize the System
  • Identify Security Control Requirements
  • Allocate Security Controls
  • Identify Applicable Overlays
  • Write Justification Statements for Non- applicable Controls
  • Propose Criteria and Frequencies for Continuous Monitoring
  • Write Control Implementation Statements
  • Identify Security Control Assessment Methods
  • Transition Plan
  • Identify Stakeholders
  • Prepare for Project Kick-off Meeting
  • Prepare for Project Activities, Timelines and Participants

Seeking CAP Certification?

The full four-day RMF for DoD IT training program covers the “domains” required for the Certified Authorization Professional (CAP) examination.

What if I Have Questions After Training?

Get Post Class Support at No Charge!  Need an RMF Expert at your finger tips?  That’s exactly what our post training support gives you. Known as TrainPlus!, this support program includes dedicated account management, and access to a leading RMF expert in our monthly RMF conference call. 

  • Get your questions answered.  
  • Gain better knowledge and confidence.   
  • Not only learn the material, become the material through greater collaboration. 

It’s easy. Just dial in for a scheduled webinar and spend time with our RMF Subject Matter Expert to hear your questions answered along with other students’ questions. After all, education doesn’t stop just because the class is over.

Training Options:

The Risk Management Framework for DoD IT training program is offered on a regularly-scheduled basis at our training sites in Virginia Beach, Colorado Springs, San Diego, Salt Lake City, Huntsville, Pensacola, Oakland, Dallas, and the Washington, DC (National Capital Region) area. Each session is also available to distance learners via Personal Classroom (online, instructor-led) technology.  We are also able to bring this training on-site to your facility.

About the Instructors

The instructors tasked to complete this training have previously developed training programs for DoD Information Assurance Certification and Accreditation Process (DIACAP) and the Federal Information Security Management Act (FISMA). These have now been completely revamped to reflect the unification of information security and risk management  practices in accordance with the Risk Management Framework (RMF).  To date, thousands of military personnel, civilian government employees and contractor personnel have completed one or more these RMF for DoD IT training programs.