Department of Defense Risk Management Framework
Days of Training: 4
Course Description
Risk Management Framework (RMF) is the unified information security framework for the entire Federal
government that is replacing the legacy Certification and Accreditation (C&A) processes within Federal
government departments and agencies, the Department of Defense (DoD) and the Intelligence
Community (IC). DoD has officially begun its transition from legacy DIACAP processes to the new RMF
for DOD process.
Department of Defense Risk Management Framework enables practitioners to immediately apply the
training to their daily work. Each activity in the Risk Management Framework is covered in detail, as is
each component of the documentation package and the continuous monitoring process. DoDI 8510.01,
NIST 800-53 Security Controls and NIST 800-53a Evaluation Procedures are also covered in detail. Class
participation exercises reinforce key concepts. RMF is designed for those who need to become
proficient in the nuts and bolts of FISMA RMF implementation. This course provides the practical
knowledge you need, without being slanted in favor of a specific software tool set.
Other Courses in the Series
There are no other courses in this series.
Outline
Chapter 1: Introduction
Key concepts including assurance, assessment, authorization’
Security controls: structure, types, families
Key characteristics of security
Chapter 2: Cybersecurity Policy Regulations and Framework
Evolution and interaction of security laws, policy, and regulations in cybersecurity
DoD cybersecurity drivers
Cybersecurity guidance
Assessment and authorization transformation goals
Chapter 3: RMF Roles and Responsibilities
Tasks and responsibilities for RMF roles
Chapter 4: Risk Analysis Process
Four-step risk management process
Impact level
Level of risk
Chapter 5: Step 1: Categorize
Key documents in RMF process
Security Categorization
Information System Description
Information System Registration
Lab 1: Categorize a fictitious DoD agency information system
Chapter 6: Step 2: Select
Common Control Identification
Security Control Selection
Monitoring Strategy
Security Plan Approval
Lab 2: Select security controls for a fictitious DoD agency information system
Chapter 7: Step 3: Implement
Security Control Implementation
Security Control Documentation
Lab 3: Discuss and review decisions related to implementation of security controls
Chapter 8: Step 4: Assess
Assessment Preparation
Security Control Assessment
Security Assessment Report
Remediation Actions
Lab 4: Consult NIST SP 800-53A to determine appropriate assessment techniques for a fictitious
DoD agency.
Chapter 9: Step 5: Authorize
Plan of Action and Milestones
Security Authorization Package
Risk Determination
Risk Acceptance
Lab 5: Practice compiling the documents that make up the Security Authorization Package
Chapter 10: Step 6: Monitor
Information System and Environment Changes
Ongoing Security Control Assessments
Ongoing Remediation Actions
Key Updates
Security Status Reporting
Ongoing Risk Determination and Acceptance
Information System Removal and Decommissioning
Lab 6: Identify vulnerabilities and deficiencies in the information system of a fictitious DoD
agency and propose steps to remediate them.
Chapter 11: Resources
eMass
RMF Knowledge Service
CyberScope