Skip to main content

Who should attend?

The RMF for DoD IT training program is suitable for DoD employees and contractors, as well as their supporting vendors and service providers. The full four-day program is recommended for most students. Managers and others who need only high-level knowledge of RMF have the option of attending just the RMF for DoD IT Fundamentals (one day).

RMF for DoD IT – Fundamentals (Day 1)

  • Getting Started
  • Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
  • Introduction to RMF
  • Roles and Responsibilities
  • RMF Life Cycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
  • RMF Documentation
  • Security Controls and Assessment Procedures
  • RMF Resources

RMF for DoD IT – In Depth (Days 2-4)

Instructional Units

Class Activity Highlights

Getting Started

  • Course Information
  • DoD Primary Resources

Step 1: Categorize

  • Categorize the System
  • Describe the System and Boundary
  • Conduct a Basic Risk Assessment
  • Register the System

Step 2: Select

  • RMF Security Control Overview
  • Analyze Security Controls
  • Select the Control Baseline
  • Tailor the Control Baseline
  • Planning for Continuous Monitoring

Step 3: Implement

  • Implement Control Solutions
  • Document Security Control Implementation
  • STIGs and Automated Tools

Step 4: Assess

  • Identify Security Control Assessment Team
  • Prepare for the Security Assessment
  • Security Control Assessment Procedures

Step 5: Authorize

  • Types of Authorizations
  • Authorization Decisions
  • Security Authorization Package
  • Documentation

Step 6: Monitor

  • ISCM Strategy Considerations
  • Automated Tools
  • System Decommissioning and Removal

Project Planning

  • Preparing for Success
  • System Acquisition
  • Knowledge Service

Informal Risk Assessment

  • Propose a Boundary
  • Categorize the System
  • Identify Security Control Requirements
  • Allocate Security Controls
  • Identify Applicable Overlays
  • Write Justification Statements for Non-applicable Controls
  • Propose Criteria and Frequencies for Continuous Monitoring
  • Write Control Implementation Statements
  • Identify Security Control Assessment Methods
  • Transition Plan
      • Identify Stakeholders
      • Prepare for Project Kick-off Meeting
      • Prepare for Project Activities, Timelines and Participants

RMF publications covered in this training program include: DoDI 8500.01; CNSSI 1253, FIPS 199, FIPS 200; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.

References to eMASS are included throughout these instructional units.  More in-depth coverage of eMASS, including hands-on exercise, is available in our eMASS eSSENTIALS™ training program.