Who should attend?

The RMF for DoD IT training program is suitable for DoD employees and contractors, as well as their supporting vendors and service providers. The full four-day program is recommended for most students. Managers and others who need only high-level knowledge of RMF have the option of attending just the RMF for DoD IT Fundamentals (one day).

RMF for DoD IT – Fundamentals (Day 1)

  • Getting Started
  • Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
  • Introduction to RMF
  • Roles and Responsibilities
  • RMF Life Cycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
  • RMF Documentation
  • Security Controls and Assessment Procedures
  • RMF Resources

RMF for DoD IT – In Depth (Days 2-4)

Instructional Units

Class Activity Highlights

Getting Started

  • Course Information
  • DoD Primary Resources

Step 1: Categorize

  • Categorize the System
  • Describe the System and Boundary
  • Conduct a Basic Risk Assessment
  • Register the System

Step 2: Select

  • RMF Security Control Overview
  • Analyze Security Controls
  • Select the Control Baseline
  • Tailor the Control Baseline
  • Planning for Continuous Monitoring

Step 3: Implement

  • Implement Control Solutions
  • Document Security Control Implementation
  • STIGs and Automated Tools

Step 4: Assess

  • Identify Security Control Assessment Team
  • Prepare for the Security Assessment
  • Security Control Assessment Procedures

Step 5: Authorize

  • Types of Authorizations
  • Authorization Decisions
  • Security Authorization Package
  • Documentation

Step 6: Monitor

  • ISCM Strategy Considerations
  • Automated Tools
  • System Decommissioning and Removal

Project Planning

  • Preparing for Success
  • System Acquisition
  • Knowledge Service

Informal Risk Assessment

  • Propose a Boundary
  • Categorize the System
  • Identify Security Control Requirements
  • Allocate Security Controls
  • Identify Applicable Overlays
  • Write Justification Statements for Non-applicable Controls
  • Propose Criteria and Frequencies for Continuous Monitoring
  • Write Control Implementation Statements
  • Identify Security Control Assessment Methods
  • Transition Plan
      • Identify Stakeholders
      • Prepare for Project Kick-off Meeting
      • Prepare for Project Activities, Timelines and Participants

RMF publications covered in this training program include: DoDI 8500.01; CNSSI 1253, FIPS 199, FIPS 200; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.

References to eMASS are included throughout these instructional units.  More in-depth coverage of eMASS, including hands-on exercise, is available in our eMASS eSSENTIALS™ training program.