4 days


Employees of federal, state and local governments; and businesses working with the government.

Course Note:

This course is rarely offered on our public schedule and most often only available as a private on site or private Live Remote Online training session.  If you have a group that is interested in this training, please let me know.

Course Description:

Risk Management Framework (RMF) is the unified information security framework for the entire federal government that is replacing the legacy Certification and Accreditation (C&A) processes within federal government departments and agencies, the Department of Defense (DOD) and the Intelligence Community (IC).
RMF is an integral part of the implementation of FISMA, the Federal Information Security Management Act, and is based on publications of the National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS).
The RMF for Federal Agencies training program is suitable for federal employees and contractors in non-DoD “civil” agencies and the intelligence community. The full program consists of a one-day RMF for Federal Agencies – Fundamentals class, followed by a three-day RMF for Federal Agencies – In Depth class.
RMF for Federal Agencies – Fundamentals (One Day) provides an overview of information security and risk management and proceeds to a high-level view of FISMA regulations, roles, and responsibilities, and NIST RMF process steps, including security authorization (aka. certification and accreditation). It also includes an introduction to the NIST RMF documentation package and the NIST security controls.

  • Introduction And Logistics
  • The Foundation Of Information Security and Risk Management
  • Understanding FISMA
  • FIPS and NIST SP
  • Security Compliance
  • Introduction to the Risk Management Framework (RMF)
  • Introduction to Security Controls
  • Key Roles in RMF
  • RMF Documentation
  • Resources
  • Course Review
  • Course Evaluation (Q&A)

RMF for Federal Agencies – In Depth (Three Days) expands on these topics at a level of detail that enables practitioners to immediately apply the training to their daily work. Each student will gain an in depth knowledge of the NIST publications along with the practical guidance needed to implement them in his/her environment. Each activity in the NIST SP 800-37 Risk Management Framework is covered in detail, as is each component of the documentation package. NIST SP 800-53 Security Controls and NIST 800-53a Assessment Procedures are covered in detail, as are CNSSI 1253 “enhancements” applicable to National Security systems and the intelligence community. “Class participation” exercises and collaboration reinforce key concepts. RMF for Federal Agencies – Fundamentals is recommended as a “prerequisite” to RMF for Federal Agencies – In Depth.

  • Introduction and Logistics
  • Review: Information Security, FISMA, Risk Management
  • RMF Roles and Responsibilities in detail
  • Risk Management Overview
  • RMF Implementation – NIST SP 800-37
    • Step 1 – Categorize (FIPS 199 & NIST SP 800-60)
    • Step 2 – Select (NIST SP 800-53 Rev 4)
    • Step 3 – Implement
    • Step 4 – Assess (NIST SP 800-53A)
    • Step 5 – Authorize
    • Step 6 – Monitor (NIST SP 800-137)
  • RMF documentation
    • System Security Plan (SSP) – NIST SP 800-18
    • Security Assessment Report
    • Risk Assessment – NIST SP 800-30
    • Plan of Action and Milestones
    • Transmittal and Decision Letters
    • Supporting Documentation
  • NIST SP 800-53 Security Controls
    • Management Controls
    • Operational Controls
    • Technical Controls
  • Assessment Procedures
  • Resources
  • Security Tools
  • Practical Guidance
  • Case Study
  • Course Review
  • Course Evaluation / Q&A
  • FISMA RMF “Jeopardy”

What if I Have Questions After Training?

Train Plus is our RMF training partner’s post class Q&A session designed for students that have attended a class. Whether your training experience has been online, onsite or at an IT Dojo facility, our partners deliver this follow up session to answer questions that may arise post class.
It’s easy. Just dial in for a scheduled webinar and spend time with our RMF Subject Matter Expert to hear your questions answered along with other students’ questions. After all, education doesn’t stop just because the class is over.

Who Should Attend?

The RMF for Federal Agencies training program is appropriate for employees and contractors of federal “civil” agencies and the intelligence community, as well as their supporting vendors and service providers. Managers and others who wish to gain high-level knowledge of RMF should attend RMF for Federal Agencies – Fundamentals (one day). Those who wish to gain detailed implementation knowledge of RMF and NIST Security Controls should attend both RMF for Federal Agencies – Fundamentals and RMF for Federal Agencies – In Depth (total of four days).

About the Instructors

The instructors tasked to complete this training have previously developed training programs for DoD Information Assurance Certification and Accreditation Process (DIACAP) and the Federal Information Security Management Act (FISMA). These have now been completely revamped to reflect the unification of information security and risk management  practices in accordance with the Risk Management Framework (RMF).  To date, thousands of military personnel, civilian government employees and contractor personnel have completed one or more these training programs.
If you are looking for other dates or would like to bring an instructor into your facility or city, please contact us!