Training Duration:

4 days


Employees of federal, state and local governments; and businesses working with the government.

Course Outline:

RMF for DoD IT – Fundamentals (Day One)
The first day of this course provides an overview of information security and risk management and proceeds to a high-level view of the Risk Management Framework. Discussion is centered on policies, roles and responsibilities, along with key publications from the National institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS). The class includes high-level discussion of the RMF  “life cycle”, including security authorization (aka. certification and accreditation), along with the RMF documentation package and NIST security controls.

  • Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
  • Introduction to RMF
  • Roles and Responsibilities
  • RMF Life Cycle: Categorize, Select, Implement, Assess, Authorize, Monitor
  • Documentation
  • Security Controls and Assessment Procedures
  • Resources

RMF for DoD IT – In-Depth (Days Two through Four)
The remaining days of this course expand on the topics above at a level of detail that enables practitioners to immediately apply the training to their daily work. Each student will gain an in depth knowledge of the relevant DoD, NIST and CNSS publications along with the practical guidance needed to implement them in the work environment. Each life cycle activity in the DoD Instruction 8510.01 is covered in detail, as is each component of the corresponding documentation package. NIST Special Publication (SP) 800-53 Security Controls, along with corresponding assessment procedures, are covered in detail, as are CNSS Instruction 1253 “enhancements”.  Specific attention is paid to the process of transition from DIACAP to RMF, as well as the application of the eMASS tool to various aspects of the RMF life cycle.
Class participation exercises and collaboration reinforce key concepts.

  • Step 1: Categorize
    • Categorize the System
    • Describe the System and Boundary
    • Conduct a Basic Risk Assessment
    • Register the System
  • Step 2: Select
    • Security Control Overview
    • Analyze Security Controls
    • Select the Control Baseline
    • Tailor the Control Baseline
    • Planning for Continuous Monitoring
  • Step 3: Implement
    • Implement Control Solutions
    • Document Security Control Implementation
    • STIGs and Automated Tools
  • Step 4: Assess
    • Identify Security Control Assessment Team
    • Prepare for the Security Assessment
    • Security Control Assessment Procedures
  • Step 5: Authorize
    • Types of Authorizations
    • Authorization Decisions
    • Security Authorization Package
    • Documentation
  • Step 6: Monitor
    • ISCM Strategy Considerations
    • Automated Tools
    • System Decommissioning and Removal
    • Project Planning
    • Preparing for Success
    • System Acquisition
    • Knowledge Service

RMF publications covered in this training program include: DoDI 8500.01, 8510.01; CNSSI 1253, FIPS 199, 200; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.

Class Activity Highlights:

  • Informal Risk Assessment
  • Propose a Boundary
  • Categorize the System
  • Identify Security Control Requirements
  • Allocate Security Controls
  • Identify Applicable Overlays
  • Write Justification Statements for Non- applicable Controls
  • Propose Criteria and Frequencies for Continuous Monitoring
  • Write Control Implementation Statements
  • Identify Security Control Assessment Methods
  • Transition Plan
  • Identify Stakeholders
  • Prepare for Project Kick-off Meeting
  • Prepare for Project Activities, Timelines and Participants

Seeking RMF Certification?

This course includes concepts that are covered on the RDRP (Registered DoD RMF Professional) exam.  After the class you will be eligible to take this 50 question competency test in order to earn this certification.  If interested, the exam costs $100.

RDRP maps to a variety of work roles as defined by The National Initiative for Cybersecurity Work Framework (NCWF). NCWF was developed in partnership with over 20 agencies and the federal departments to establish baseline qualifications in cybersecurity career development.

In addition, the full four-day training program covers the “domains” required for the Certified Authorization Professional (CAP) examination.  We have had many students do additional study on their own after the class and achieve the CAP certification (exam not included). The class is not geared as a Boot Camp to prep you for the cert though.  The goal of this course is to get students to understand, in depth, the steps of RMF.

What if I Have Questions After Training?

Get Post Class Support at No Charge!  Need an RMF Expert at your finger tips?  That’s exactly what our post training support gives you. Known as TrainPlus!, this support program includes dedicated account management, and access to a leading expert in our monthly conference call. 

  • Get your questions answered.  
  • Gain better knowledge and confidence.   
  • Not only learn the material, become the material through greater collaboration. 

It’s easy. Just dial in for a scheduled webinar and spend time with our SME to hear your questions answered along with other students’ questions.

Delivery Options:

This course is offered on a regularly-scheduled basis at our training sites in Virginia Beach, Colorado Springs, San Diego, Salt Lake City, Huntsville, Pensacola, Oakland, Dallas, Seattle, Dayton, Aberdeen and the Washington, DC (National Capital Region) area. Each session is also available to distance learners via Personal Classroom (online, instructor-led) technology.  We are also able to bring this training on-site to your facility.

About the Instructors:

The instructors tasked to complete this training have previously developed training programs for DoD Information Assurance Certification and Accreditation Process (DIACAP) and the Federal Information Security Management Act (FISMA). These have now been completely revamped to reflect the unification of information security and risk management  practices in accordance with the Risk Management Framework (RMF).  To date, thousands of military personnel, civilian government employees and contractor personnel have completed our class.