Skip to main content

So, You Think You Can Practice RMF: Breaking into Cybersecurity as an RMF Practitioner

This blog excerpt is taken from our July 2023 newsletter. To view the rest of the newsletter, visit

By Philip D. Schall, Ph.D., CISSP, RDRP

As a college professor and Director of Training at BAI RMF Resource Center, I often am approached by students of all ages asking how they can break into cybersecurity and the RMF field. What generally follows is a dialogue regarding if they need a college degree or certifications etc. For the past few years, I have usually directed students to where they see a glaring employment gap and the promise of hefty salaries, and with some blend of a college degree and certifications, they get their first jobs. Unfortunately, during the last year, I have seen a shift and students having a tough time securing employment.

In this article, I will not focus on the current tech economy, but instead a commentary on what I have observed as the ideal blend of education and certification to break into the field. I have read a few articles recently on LinkedIn which suggest that a college degree is no longer useful and hopeful job candidates should secure certifications and up their technical skills. I am a bit biased as a college professor, but I believe in the value of an approachable and affordable college education.

Higher Education

As someone who sees students work through four years of undergraduate coursework and grow into young professionals, I have witnessed first-hand the growth that occurs throughout the college experience. With that said, not all degree programs are equal, and I am a strong proponent of affordable state schools or community colleges if a student cannot secure a large scholarship or does not come from a background of strong means. Essentially, unlike many, I still believe in the value of a traditional college degree, but I recognize that not all programs are built to the same quality.


Next on my list are cybersecurity and IT certifications. My stance on these is straightforward, I firmly believe that a traditional college degree (bachelor’s or associate) is greatly enhanced when a graduating senior or career switcher can show a hiring director that they have the ambition to obtain a certification like Security+ or CISSP early in their career. I recognize that these first certifications can be daunting, but they can indicate that a candidate has the tenacity to attempt a challenging certification exam with little experience.

It is worth mentioning that BAI RMF Resource Center offers something akin to a certification called RDRP. RDRP stands for Registered DoD RMF Practitioner. This essentially serves as a registry for folks who have received RMF training and have passed BAI’s proprietary RMF exam. Information about RDRP can be found at the following link:

Professional and Extracurricular Experience

The final and often most difficult element for a graduating college student is experience.

I suggest that the student do everything they can to secure an internship and if this is not possible, they should gain experience on a university cyber team or through creating a small business that performs IT or cybersecurity support to local businesses.

Overall, I firmly believe in having a blend of a college degree, certifications, and some real-world experience. As the job market gets tighter and the cybersecurity career gap shrinks, the job market will continue to be highly competitive, and we are still encountering entry-level jobs written with mid-level skill requirements.

The number one piece of advice I can give new graduates trying to break into the field is to have tenacity and a drive to succeed. I had a student a few years ago with no experience besides working at a gas station, and after following the advice above and submitting 130 job applications he got his first job. The student in reference is now a mid-level cybersecurity engineer for a major cybersecurity firm.

Becoming an RMF Practitioner

Beyond these beginner cybersecurity suggestions, when asked how to get into the RMF field, I first warn that RMF does not appear to be the most exciting work to do, but the skillset is in high demand and an interesting skillset once mastered. I then suggest that students take an entry-level RMF class like RMF for DoD IT offered by BAI or at the minimum watch the videos series BAI and CompTIA partnered with called RMF Micro Edition.

Once some basic RMF education has been completed, I advise students to search for entry-level roles and make sure they have baseline cybersecurity certifications required for these roles. I find baseline cybersecurity certifications like Security+ paired with RDRP and a college degree can position students strongly to be interviewed for entry-level RMF positions. From there, it becomes an exercise in gaining experience and climbing the ladder to intermediate and senior in short suspense.

“Genius is 1% talent and 99% percent hard work…”

–Albert Einstein

Post Categories: Registered DoD RMF Practitioner (RDRP)Risk ManagementRisk Management FrameworkRMF Training Tags: