Introduction to Risk Management Framework Training (RMF)

Introduction to Risk Management Framework Training (RMF)

Print Friendly, PDF & Email

Introduction:

Introduction to Risk Management Framework Training (RMF) Course with Hands-on Exercises (Online, Onsite and Classroom Live)

This Introduction to Risk Management Framework Training (RMF) course introduces the Risk Management Framework (RMF) and Cybersecurity policies for the Department of Defense (DoD). The Introduction to Risk Management Framework Training (RMF) course will address the current state of Cybersecurity within DoD and the appropriate transition timelines. In addition, it identifies the six steps of the RMF and highlights the key factors to each step.

Duration: 2 days

Related Courses

Customize It:

  • If you are familiar with some aspects of Introduction to Risk Management Framework Training – RMF Training course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the Introduction to Risk Management Framework Training – RMF Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Introduction to Risk Management Framework Training – RMF Training course in manner understandable to lay audiences.

Introduction to Risk Management Framework Training (RMF) – Audience / Target Group:

The target audience for this Introduction to Risk Management Framework Training – RMF Training course is defined here:

  • IT professionals in the area of cybersecurity
  • DoD employees and contractors or service providers
  • Government personnel working in cybersecurity area
  • Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
  • Employees of federal agencies and the intelligence community
  • Assessors, assessment team members, auditors, inspectors or program managers of information technology area
  • Any individual looking for information assurance implementation for a company based on recent policies
  • Information system owners, information owners, business owners, and information system security managers

Introduction to Risk Management Framework Training (RMF) – Objectives:

After completing this Introduction to Risk Management Framework Training – RMF Training course, attendees will be able to:

  • Understand the risk management framework and risk management and assessment for information technology systems
  • Apply cost-effective security controls based on risk and best practices on assessment and analysis
  • Understand the RMF/FISMA/NIST processes for authorizing federal IT systems and authorization process
  • Explain RMF step by step procedures
  • Differentiate the traditional certification and accreditation (C&A) with RMF
  • Understand different key roles in RMF with their responsibilities
  • Recognize recent publications of NIST and FISMA regarding RMF and select, implement, and assess security controls
  • Apply the step by step RMF procedure to real world application, and ways to monitor security controls
  • Tackle the problems of RMF in each phase of procedure

Introduction to Risk Management Framework Training (RMF) – Course Syllabus:

Information Security and Risk Management Framework (RMF) Foundation

  • Purpose of RMF
  • Components of Risk Management
  • Importance of Risk Management
  • Risk Management for Organizations
  • Risk Management for Business processes
  • Risk Management for Information System
  • Concept of Trust and Trustworthiness in Risk Management
  • Organizational Culture
  • Key Risk Concepts and their Relationship
  • Framing Risks
  • Assessing Risk
  • Risk Assessment Steps
  • Responding to Risk
  • Mitigating Risks
  • Monitoring the Risk
  • Risk Management Process Tasks
  • Risk Response Strategies

RMF Laws, Regulations and Guidance

  • Office of Management and Budget (OMB) Laws
  • National Institute of Standards and Technology (NIST) Publications
  • Committee and National Security Systems (CNSS)
  • Office of the Director National Intelligence (ODNI)
  • Department of Defense (DoD)
  • Privacy Act of 1974 (Updated in 2004)
  • Transmittal Memorandum, OMB A-130
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Financial Service Modernization
  • OMB M-00-13
  • Critical Infrastructure Protection
  • Federal Information Security Management (FISM)
  • HSPD 7
  • Policy on Information Assurance Risk Management for National Security Systems (CNSSP)
  • Security Categorization and Control Selection for National Security Systems (CNSSI)

Introduction to FISMA

  • FIMSA Compliance Overview
  • FIMSA Trickles into the Private Sector
  • FIMSA Compliance Methodologies
  • NIST RMF
  • DIACAP
  • DoD RMF
  • ICD 503 and DCID 6/3
  • Understanding the FISMA Compliance Process
  • Stablishing FIMSA Compliance Program
  • Preparing the Hardware and Software Inventory
  • Categorizing Data Sensitivity
  • Addressing Security Awareness and Training
  • Addressing Rules of Behavior
  • Developing an Incident Response Plan
  • Conducting Privacy Impact Assessment
  • Preparing Business Impact Analysis
  • Developing the Contingency Plan
  • Developing a Configuration Management Plan
  • Preparing the System Security Plan
  • Performing the Business Risk Assessment
  • Security Testing and Security Packaging
  • FISMA for Clouds

New Requirements under FISMA 2015

  • Continuous Diagnostics and Mitigation (CDM) Program
  • FISMA Metrics
  • Federal Government Programs Designed to Combat Growing Threats
  • Cybersecurity 2015 Cross Agency Priority (CAP) Goal
  • Formalized Process for Proactive Scans of Public Facing Agency Networks
  • DHS US-CERT Incident Notification Guidelines
  • Information Security Program Oversight Requirements
  • Privacy Management Guidance
  • Mobile Devices
  • Security Incident Reporting
  • Protection of Agency Information
  • Ongoing Authorization

Risk Management Framework Steps

  • Categorizing
  • Selection
  • Implementation
  • Assessing
  • Authorizing
  • Monitoring

System Development Life Cycle (SDLC)

  • Initiation
  • Development/Acquisition
  • Implementation/Assessment
  • Operation and Maintenance
  • Disposal

Transition from C&A to RMF

  • Certification and Accreditation (C&A) Process
  • C&A Phases
  • Initiation
  • Certification
  • Accreditation
  • Monitoring
  • RMF, a High Level View
  • Transition and Differences
  • Key Roles to Implement the RMF

Expansion of the RMF

  • Implementation of the RMF in the Intelligence Community
  • Implementation of the RMF in DoD
  • Implementation of the RMF in the Private Sector
  • Future Updates to the RMF Process
  • Using the RMF with Other Control Sets
  • FedRAMP
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry (PCI)
  • Other Standards used with RMF

Security Control Assessment Requirements

  • NIST SP 800-53A Assessment Methods
  • Security Control Baseline Categorization
  • CNSSI 1253 Baseline Categorization
  • New Controls Planned in Recent Revision
  • FedRAMP Controls
  • SP 800-53 Security Controls to HIPAA Security Rule
  • PCI DSS Standards

RMF for IT

  • NIST RMF
  • IT and RMF Process
  • Enterprise-wide IT Governance authorization of IT Systems and Services
  • Risk Based Approach Instead of Check Lists
  • DT&E and OT&E Integration
  • RMF Embedded in Acquisition Lifecycle
  • Continuous Monitoring and Timely Correction of Deficiencies
  • Automated Tools
  • Cybersecurity Implementation via Security controls
  • Reciprocity Application

Optional Modules and Activities:

Hands On, Workshops and Group Activities

  • Labs
  • Workshops
  • Group Activities

Workshops and Labs for Introduction to RMF Training

  • Categorizing the Information system Based on the Information Type using NIST SP 8-060
  • Determining the Security Category for Confidentiality, Availability, and Integrity of the System
  • Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
  • RMF Phase 3 Case Study, Resolving the Control Planning Issues
  • Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
  • Developing Plan of Action and Milestones (POA&M)
  • RMF Monitoring Phase; Assessing the Controls based on Schedule

Key Standards and Guidelines

  • FIPS Publication 1(Security Categorization)
  • FIPS Publication 200 (Minimum Security Controls)
  • NIST Special Publication 800-18 (Security Planning)
  • NIST Special Publication 800-30 (Risk Assessment)
  • NIST Special Publication 800-37 (System Risk Management Framework)
  • NIST Special Publication 800-3(Enterprise-Wide Risk Management)
  • NIST Special Publication 800-53 (Recommended Security Controls)
  • NIST Special Publication 800-53A (Security Control Assessment)
  • NIST Special Publication 800-5(National Security Systems)
  • NIST Special Publication 800-60 (Security Category Mapping)

FIPS and NIST Special Publications (PUBS)

  • General Information
  • FIPS Changes and Announcements
  • FIPS Standards
  • FIPS PUB 140-2; Security Requirements for Cryptographic Modules
  • FIPS PUB 180-4; Secure Hash Standard (SHS)
  • FIPS PUB 186-4; Digital Signature Standard (DSS)
  • FIPS PUB 197; Advanced Encryption Standard (AES)
  • FIPS PUB 198-1; Keyed Hash Message Authorization code (HMAC)
  • FIPS PUB 199; Standards for Security Categorization of Federal Information and Information Systems
  • FIPS PUB 200; Minimum Security Requirements for Federal Information and Information systems
  • FIPS PUB 201-2; Personal Identity Verification (PIV)
  • FIPS PUB 202; SHA-3 Standard

Creating RMF Roles and Responsibilities

  • Agency Head
  • Risk Executive
  • Chief Information Officer (CIO)
  • Chief Information Security Officer(CISO)
  • Senior Information Security Officer (SISO)
  • Authorizing Official (AO)
  • Delegated Authorizing Official (DAO)
  • Security control Assessor
  • Common Control Provider (CCP)
  • Information Owner
  • Mission/Business Owner (MBO)
  • Information System Owner
  • Information System Security Engineer (ISSE)
  • Information System Security Manager (ISSM)
  • Information System Security Officer (ISSO)
  • Risk Analyst
  • Executive Management
  • User Representatives
  • Information security Architect
  • Security control Assessor
  • Computer Incident Response (CIR) Team

Request More Information

    Time frame:

    0