Who should attend?

The RMF for DoD IT training program is suitable for DoD employees and contractors, as well as their supporting vendors and service providers. Managers and others who wish to gain high-level knowledge of RMF should attend RMF for DoD IT Fundamentals (one day). Those who wish to gain detailed implementation knowledge of RMF and NIST Security Controls should attend both RMF for DoD IT Fundamentals and RMF for DoD IT In Depth (total of four days).

RMF for DoD IT – Fundamentals (One-Day Course)

• Getting Started
• Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
• Introduction to RMF
• Roles and Responsibilities
• RMF Life Cycle: Categorize, Select, Implement, Assess, Authorize, Monitor
• RMF Documentation
• Security Controls and Assessment Procedures
• RMF and DIACAP
• RMF Resources

RMF for DoD IT – In Depth (Three-Day Course)

Getting Started
• Course Information
• DoD Primary Resources

Step 1: Categorize
• Categorize the System
• Describe the System and Boundary
• Conduct a Basic Risk Assessment
• Register the System

Step 2: Select
• RMF Security Control Overview
• Analyze Security Controls
• Select the Control Baseline
• Tailor the Control Baseline
• Planning for Continuous Monitoring

Step 3: Implement
• Implement Control Solutions
• Document Security Control Implementation
• STIGs and Automated Tools

Step 4: Assess
• Identify Security Control Assessment Team
• Prepare for the Security Assessment
• Security Control Assessment Procedures

Step 5: Authorize
• Types of Authorizations
• Authorization Decisions
• Security Authorization Package
• Documentation

Step 6: Monitor
• ISCM Strategy Considerations
• Automated Tools
• System Decommissioning and Removal
• Project Planning
• Preparing for Success
• System Acquisition
• Knowledge Service

• Informal Risk Assessment
• Propose a Boundary
• Categorize the System
• Identify Security Control Requirements
• Allocate Security Controls
• Identify Applicable Overlays
• Write Justification Statements for Nonapplicable Controls
• Propose Criteria and Frequencies for Continuous Monitoring
• Write Control Implementation Statements
• Identify Security Control Assessment Methods
• Transition Plan
• Identify Stakeholders
• Prepare for Project Kick-off Meeting
• Prepare for Project Activities,
Timelines and Participants