IT1741: Risk Management Framework (RMF)

Course Length: 4 days - 5 days (32 hrs - 40 hrs)

Prerequisites: None

Format: Onsite, online

The Risk Management Framework (RMF) course covers FISMA requirements as applied to conducting Federal system Authorization processes. Students will be guided through the six-step RMF Life Cycle, covering Publications and Guidance in support of the RMF six-step process.

In this course, you will gain a thorough understanding of the new DoD authorization process as required by DoDI 8510.01, Risk Management Framework for DoD IT, 14 March 2014, and based on the new Committee of National Security Systems Instruction 1253 (CNSSI 1253), Security Categorization and Security Control Selection for National Security Systems (NSS), 27 March 2014, and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

RMF is the latest in the evolution from the earlier DIACAP.

Topics Covered:

• Authorization process
• Risk management
• Risk assessment
• Roles and responsibilities
• RMF tools and documentation
• Categorize information and information systems
• Select, implement, and assess security controls
• Authorize information system
• Monitor security controls (Continuous monitoring)

Course Outline:

1. Understand Security Authorization

• Concept of Authorization Process
• Problem, Controls, Implement, Assess, Approve and Maintain
• Authorization Evolution
• DITSCAP, NIACAP, FISMA, NIST, DIACAP, and RMF
• Department of Defense (DoD) Risk Management Framework (RMF)
• DoD: DoDI 8500.01 and DoDI 8510.01
• CNSS: CNSSP-42, CNSSI-1253 and Appendix K Annexes, CNSSI-1253A, and CNSS 4009
• NIST: SP 800-18, SP 800-37, SP 800-39, SP 800-53, SP 800,53A, SP 800-137, and SP 800-160
• Security Processes and Concepts
• Adequate Security and Risk-Based Cost-Effective - OMB Circular A-130
• Security Objectives: Confidentiality, Integrity and Availability
• Risk: Low, Moderate, and High
• Privacy Rules: HIPAA and Personally Identifiable Information (PII)
• Trust Relationships: Reciprocity and Documents
• Defense-in-Depth
• Risk Management (NIST SP800-39)
• Risk Assessment (NIST SP800-30)
• Qualitative, Quantitative, and Quasi-Quantitative
• Roles and Responsibilities (NIST SP800-37 and DoD 8510.01)
• DoD and Component Chief Information Officers (CIO)
• Risk Executive (Function)
• DoD and Component Senior Information Security Officer (SISO)
• Authorizing Official (AO)
• AO Designated Representative (AODR)
• Information Owner (IO) / Steward
• Common Control Provider (CC Provider)
• Information System Security Manager (ISSM)
• Information System Owner (ISO)
• Information System Security Engineer ISSE) Security Control Assessor (SCA)
• User Representative (UR)
• RMF Tools - Documentation
• eMASS and Information Assurance Support Environment (IASE)

2. RMF Step 1 - Categorize Information and Information System

• System Security Plan - SP 800-18 and Sample SP
• Categorization - CNSSI-1243
• Accreditation Boundaries - SP 800-37
• Interconnecting Information Systems - SP 800-47
• System Registration

3. RMF Step 2 - Select Security Controls

• Specific, Common and Hybrid Controls - SP 800-53 and CNSSI-1253
• Overlays - CNSSI-1253, SP 800-53, and Sample Overlay
• Selecting Security Controls - CNSSI-1253, FIPS-200, and SP 800-53
• Tailoring Controls - CNSSI-1253 and SP 800-53
• Continuous Monitoring Control Selection - SP 800-137

4. RMF Step 3 - Implement Security Controls

• Security Control Implementation - SP 800-53
• Compensating Controls - SP 800-53
• Approved Configurations, Tests and Checklists - SP 800-70, eMASS and IASE.mil
• Contingency Planning - SP 800-34

5. RMF Step 4 - Assess Security Controls

• Assessment and Testing Methods - SP 800-53A and SP 800-115
• Vulnerability Tools and Techniques
• Develop Security Assessment Plan and Report - Sample SAR
• Assessor Expertise and Independence
• Conduct Security Control Assessments

6. RMF Step 5 - Authorize Information System

• Plan Of Actions and Milestones (POA&M) - OMB M-01-01 and Sample POA&M
• Security Authorization Package
• SSP, SAR, and POA&M
• Authorization
• Authority to Operate (ATO)
• Interim Authorization to Test (IATT)
• Denial of Approval to Operate (DATO)
• Special Authorizations
• Type Authorizations
• Platform Information Technology (PIT) Authorizations

7. RMF Step 6 - Monitor Security Controls

• Continuous Monitoring - SP 800-53
• Information Security Continuous Monitoring (ISCM) - SP 800-137
• Security Configuration Management - SP 800-128
• Patch and Vulnerability Management - SP 800-40
• Security Content Automation Protocol (SCAP)

• Regulations and Standards
• Authorization Evolution
• NIST and DoD RMF Processes
• Risk Management Framework Steps and Tasks
• Integration of Risk Management into the SDLC
• Security Plan (SP) Template
• Control Families
• 20 Critical Security Controls Consensus Audit Guidelines (CAG)
• Continuous Monitoring Related Tools Sample Security Plan (SP)
• Sample Security Assessment Report (SAR) Plan of Action and Milestones (POA&M)
• Sample Information Security Continuous Monitoring Plan (ISCMP)
• Security Control Overlay Template
• Cross Domain Solution Overlay
• Sample ISCM from Fed RAMP
• Patch and Vulnerability Management
• DoD Cybersecurity Glossary

Notes: Formerly IIUSA-621: Project Management – DIACAP. This is normally delivered as a 32-hour class, with an optional 8 additional hours for ISC2 CAP certification preparation.