Risk Management Framework Training: RMF for DoD IT

Duration:

4 days

Audience:

Employees of federal, state and local governments; and businesses working with the government.

Course Description:

In accordance with the Federal Information Security Management Act (FISMA), a fundamental transformation in Federal Information Security (aka. Information Assurance, Cybersecurity) practices is taking place. The goal is to standardize the processes of risk management and security authorization (certification and accreditation) across DoD, Federal “Civil” Agencies (e.g., Dept. of State, Homeland Security, Treasury, etc.), and the Intelligence Community.

The National Institute of Standards and Technology (NIST), in partnership with the Joint Task Force Transformation Initiative (JTFTI), have developed a Risk Management Framework (RMF) and a comprehensive set of Security Controls (requirements) for implementation across the spectrum of Federal programs and IT systems.

Federal “Civil” agencies have aligned their information security practices to the NIST process and controls. DoD is currently in the midst of transition from DIACAP and DoD “IA Controls” to RMF and NIST security controls. A similar transformation from legacy processes to RMF has been underway for some time in Intelligence Community Agencies.

In order to effectively support this transformation, Federal and DoD employees, contractors and vendors need education on RMF as soon as possible.

Who should attend?

Our RMF training program is appropriate for DoD employees and contractors, as well as their supporting vendors and service providers. Managers and others who wish to gain high-level knowledge of RMF should attend RMF for DoD IT – Fundamentals (one day). Those who wish to gain detailed implementation knowledge of RMF and NIST Security Controls should attend both RMF for DoD IT – Fundamentals and RMF for DoD IT – In Depth (total of four days).

Seeking CAP Certification?

The full four-day RMF for DoD IT training program (“Fundamentals” + “In-Depth”) covers the “domains” required for the Certified Authorization Professional (CAP) examination.

Please note ITdojo provides training only. The CAP exam itself is administered by ISC2 (www.isc2.org).

Course Outline

RMF for DoD IT – Fundamentals (One Day)

This course provides an overview of information security and risk management and proceeds to a high-level view of RMF for DoD IT. Discussion is centered on RMF for DoD IT policies, roles and responsibilities, along with key publications from the National institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS). The class includes high-level discussion of the RMF for DoD IT “life cycle”, including security authorization (aka. certification and accreditation), along with the RMF documentation package and NIST security controls.

  • Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
  • Introduction to RMF
  • Roles and Responsibilities
  • MF Life Cycle: Categorize, Select, Implement, Assess, Authorize, Monitor
  • RMF Documentation
  • Security Controls and Assessment Procedures
  • RMF and DIACAP
  • RMF Resources

RMF for DoD IT – In-Depth (Three Days)

This course expands on these topics at a level of detail that enables practitioners to immediately apply the training to their daily work. Each student will gain an in depth knowledge of the relevant DoD, NIST and CNSS publications along with the practical guidance needed to implement them in the work environment. Each life cycle activity in the DoD Instruction 8510.01 (RMF for DoD IT) is covered in detail, as is each component of the corresponding documentation package. NIST Special Publication (SP) 800-53 Security Controls, along with corresponding assessment procedures, are covered in detail, as are CNSS Instruction 1253 “enhancements”. Specific attention is paid to the process of transition from DIACAP to RMF, as well as the application of the eMASS tool to various aspects of the RMF life cycle. “Class participation” exercises and collaboration reinforce key concepts. RMF for DoD IT Fundamentals is strongly recommended as a “prerequisite” to RMF for DoD IT In-Depth.

  • Step 1: Categorize
    • Categorize the System
    • Describe the System and Boundary
    • Conduct a Basic Risk Assessment
    • Register the System
  • Step 2: Select
    • RMF Security Control Overview
    • Analyze Security Controls
    • Select the Control Baseline
    • Tailor the Control Baseline
    • Planning for Continuous Monitoring
  • Step 3: Implement
    • Implement Control Solutions
    • Document Security Control Implementation
    • STIGs and Automated Tools
  • Step 4: Assess
    • Identify Security Control Assessment Team
    • Prepare for the Security Assessment
    • Security Control Assessment Procedures
  • Step 5: Authorize
    • Types of Authorizations
    • Authorization Decisions
    • Security Authorization Package
    • Documentation
  • Step 6: Monitor
    • ISCM Strategy Considerations
    • Automated Tools
    • System Decommissioning and Removal
  • Project Planning
    • Preparing for Success
    • System Acquisition
    • Knowledge Service
    • Informal Risk Assessment
    • Propose a Boundary
    • Categorize the System
    • Identify Security Control Requirements
    • Allocate Security Controls
    • Identify Applicable Overlays
    • Write Justification Statements for Non- applicable Controls
    • Propose Criteria and Frequencies for Continuous Monitoring
    • Write Control Implementation Statements
    • Identify Security Control Assessment Methods
      • Transition Plan
        • Identify Stakeholders
        • Prepare for Project Kick-off Meeting
        • Prepare for Project Activities, Timelines and Participants

RMF publications covered in this training program include: DoDI 8500.01, 8510.01; CNSSI 1253, FIPS 199, 200; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.

There are also various exercises and case studies throughout the duration of the training.

Class Activity Highlights

  • Informal Risk Assessment
  • Propose a Boundary
  • Categorize the System
  • Identify Security Control Requirements
  • Allocate Security Controls
  • Identify Applicable Overlays
  • Write Justification Statements for Non- applicable Controls
  • Propose Criteria and Frequencies for Continuous Monitoring
  • Write Control Implementation Statements
  • Identify Security Control Assessment Methods
  • Transition Plan
  • Identify Stakeholders
  • Prepare for Project Kick-off Meeting
  • Prepare for Project Activities, Timelines and Participants

What if I Have Questions After Training?

Get Post Class Support at No Charge!

Need an RMF Expert at your finger tips?  That’s exactly what our post training support gives you. Known as TrainPlus!, this support program includes dedicated account management, and access to a leading RMF expert in our monthly RMF conference call. 

  • Get your questions answered.  
  • Gain better knowledge and confidence.   
  • Not only learn the material, become the material through greater collaboration. 

It’s easy. Just dial in for a scheduled webinar and spend time with our RMF Subject Matter Expert to hear your questions answered along with other students’ questions. After all, education doesn’t stop just because the class is over.

Training Options:

The Risk Management Framework for DoD IT training program is offered on a regularly-scheduled basis at our training sites in Virginia Beach, Colorado Springs, Huntsville, and the Washington, DC (National Capital Region) area. Each session is also available to distance learners via Personal Classroom (online, instructor-led) technology.  We are also able to bring this training on-site to your facility.

About the Instructors

The instructors tasked to complete this training have previously developed training programs for DoD Information Assurance Certification and Accreditation Process (DIACAP) and the Federal Information Security Management Act (FISMA). These have now been completely revamped to reflect the unification of information security and risk management  practices in accordance with the Risk Management Framework (RMF).  To date, thousands of military personnel, civilian government employees and contractor personnel have completed one or more these RMF for DoD IT training programs.