By Kathryn Daily, CISSP, CGRC (Formerly CAP), RDRP
BAI’s training programs were developed with the information systems professional in mind. NIST’s Risk Management Framework is one of the most widely used governance, risk and compliance frameworks in the nation and forms the core of the ISC2 CGRC Exam Content (for exams after June 15, 2024). In fact, initially the certification was completely focused on the Risk Management Framework when it was called the Certified Authorization Professional. Once they changed the name to Certified in Governance, Risk, and Compliance, they tried to move away from a purely RMF based certification to reach a wider audience, however given the robust nature of the Risk Management Framework, it is still the primary focus of the exam.
Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program
In Domain 1, the focus is on the core principles of building a GRC program within your organization. This tenant is core to the RMF for DoD (or RMF for Federal Agencies) training program. The tasks and subtasks within Domain 1 are covered in Day 1 of the 4 day training program by introducing the concept of the Risk Management Framework.
Domain 2: Scope of the System
Scoping the system perfectly aligns with Steps 0 and 1 where the description and categorization of the system is performed based on the information stored, and the risk to that information. Fun Fact: BAI was teaching step 0 before NIST updated the 800-37 to include it as the preparation tasks were required previously to accurately produce a package for authorization, however they were not documented in any official publications at that time.
Domain 3: Selection and Approval of Framework, Security, and Privacy Controls
Once again, we see alignment with the NIST Risk Management Framework in Domain 3 with Step 2: Security Controls. Here in step three, the curriculum focuses on identifying controls based on the system categorization and identified risk, documenting the controls, and the beginning of the build out of the continuous monitoring program.
Domain 4: Implementation of Security and Privacy Controls
In Domain 4, we see alignment with Step 3 of the NIST RMF with the requirement to implement the identified security controls. The BAI RMF curriculum discusses how to document the implementation of the security controls and further flesh out the frequency for compliance documentation and training.
Domain 5: Assessment/Audit of Security and Privacy Controls
While not all frameworks undergo an official assessment as required by the federal government, all of them require at least a self assessment. So, regardless of which framework you’re using, the RMF assessment process (Step 4) is good to understand, and the concepts can be translated to all information security/risk management programs. In domain 5, the curriculum discusses how to develop your assessment plan, and perform the assessment, as well as documenting the assessment results and the residual risk.
Domain 6: System Compliance
In domain 6, the tasks and subtasks align with the NIST RMF Step 5, Authorize. While again, not all frameworks require an official authorization, the tasks and subtasks within domain 6 still apply to other frameworks. Your security package and documentation will be required, identification of risk posture which includes the determination of residual risk after the remediation activities have been completed, and official documentation of system compliance with the chosen framework.
Domain 7: Compliance Maintenance
In Domain 7, both the CGRC exam and the NIST RMF require the development of a robust continuous monitoring program that ensures the system remains in compliance with the stated security posture that we documented in Domain 6/RMF Step 5 that existed throughout the lifecycle of the system from initial compliance activities through the system disposal once it reaches end of life.
Based on the alignment of the exam objectives and the NIST Risk Management Framework, you can see how the BAI RMF curriculum will fulfill the majority, if not all, of the exam objectives. To further enhance your understanding of the core concepts of the CGRC exam, BAI offers many supplemental courses that focus on specific domains such as the 4 day Security Controls workshop that does a deep dive into steps 3 and 4 of the NIST RMF, corresponding to Domains 4 and 5 of the CGRC exam. The Information Security Continuous Monitoring course provides an in depth curriculum of NIST Step 6/CGRC Domain 7 and enables the student to create a comprehensive continuous monitoring program within their organizational risk management and compliance program.
You may be thinking, these classes focus on the NIST 800-53 which was developed for federal systems. Historically, that is a correct observation. However, NIST released Revision 5 of the security control catalog and intentionally removed the reference to federal systems from the title. The updated revision was intended to be all encompassing for both federal systems and industry. Likewise, the NIST Cybersecurity Framework was recently updated to version 2.0 which changed the focus from just critical infrastructure to incorporating both private industry and academia. Stay tuned! BAI is currently building a curriculum for the NIST CSF 2.0 and plans to begin offering the course in the summer of 2024.