Who should attend?

The RMF for DoD IT training program is suitable for DoD employees and contractors, as well as their supporting vendors and service providers. The RMF for DoD IT Full Program (4 days) consists of RMF For DoD IT Fundamentals and RMF for DoD IT In-Depth.  The full program provides detailed implementation knowledge of RMF and the DoD Security Controls.  Managers and others who wish to gain high-level knowledge of RMF should attend RMF for DoD IT Fundamentals (1 day).

RMF for DoD IT – Fundamentals (Day 1)

• Getting Started
• Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
• Introduction to RMF
• Roles and Responsibilities
• RMF Life Cycle: Categorize, Select, Implement, Assess, Authorize, Monitor
• RMF Documentation
• Security Controls and Assessment Procedures
• RMF Resources

RMF for DoD IT – In Depth (Days 2-4)

Instructional Units*

Class Activity Highlights*

Getting Started
• Course Information
• DoD Primary Resources

Step 1: Categorize
• Categorize the System
• Describe the System and Boundary
• Conduct a Basic Risk Assessment
• Register the System

Step 2: Select
• RMF Security Control Overview
• Analyze Security Controls
• Select the Control Baseline
• Tailor the Control Baseline
• Planning for Continuous Monitoring

Step 3: Implement
• Implement Control Solutions
• Document Security Control Implementation
• STIGs and Automated Tools

Step 4: Assess
• Identify Security Control Assessment Team
• Prepare for the Security Assessment
• Security Control Assessment Procedures

Step 5: Authorize
• Types of Authorizations
• Authorization Decisions
• Security Authorization Package
• Documentation

Step 6: Monitor
• ISCM Strategy Considerations
• Automated Tools
• System Decommissioning and Removal
• Project Planning
• Preparing for Success
• System Acquisition
• Knowledge Service

• Informal Risk Assessment
• Propose a Boundary
• Categorize the System
• Identify Security Control Requirements
• Allocate Security Controls
• Identify Applicable Overlays
• Write Justification Statements for Nonapplicable Controls
• Propose Criteria and Frequencies for Continuous Monitoring
• Write Control Implementation Statements
• Identify Security Control Assessment Methods
• Transition Plan
• Identify Stakeholders
• Prepare for Project Kick-off Meeting
• Prepare for Project Activities,
Timelines and Participants

*RMF publications covered in this training program include: DoDI 8500.01; CNSSI 1253, FIPS 199, FIPS 200; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.