Who should attend?

The RMF for DoD IT training program is suitable for DoD employees and contractors, as well as their supporting vendors and service providers. The full four-day program is recommended for most students. Managers and others who need only high-level knowledge of RMF have the option of attending just the RMF for DoD IT Fundamentals (one day).

RMF for DoD IT – Fundamentals (Day 1)

• Getting Started
• Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP), DoDI 8500.01, 8510.01
• Introduction to RMF
• Roles and Responsibilities
• RMF Life Cycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
• RMF Documentation
• Security Controls and Assessment Procedures
• RMF and DIACAP
• RMF Resources

RMF for DoD IT – In Depth (Days 2-4)

Instructional Units*

Class Activity Highlights*

Getting Started
• Course Information
• DoD Primary Resources

Step 1: Categorize
• Categorize the System
• Describe the System and Boundary
• Conduct a Basic Risk Assessment
• Register the System

Step 2: Select
• RMF Security Control Overview
• Analyze Security Controls
• Select the Control Baseline
• Tailor the Control Baseline
• Planning for Continuous Monitoring

Step 3: Implement
• Implement Control Solutions
• Document Security Control Implementation
• STIGs and Automated Tools

Step 4: Assess
• Identify Security Control Assessment Team
• Prepare for the Security Assessment
• Security Control Assessment Procedures

Step 5: Authorize
• Types of Authorizations
• Authorization Decisions
• Security Authorization Package
• Documentation

Step 6: Monitor
• ISCM Strategy Considerations
• Automated Tools
• System Decommissioning and Removal

Project Planning
• Preparing for Success
• System Acquisition
• Knowledge Service

• Informal Risk Assessment
• Propose a Boundary
• Categorize the System
• Identify Security Control Requirements
• Allocate Security Controls
• Identify Applicable Overlays
• Write Justification Statements for Nonapplicable Controls
• Propose Criteria and Frequencies for Continuous Monitoring
• Write Control Implementation Statements
• Identify Security Control Assessment Methods
• Transition Plan
• Identify Stakeholders
• Prepare for Project Kick-off Meeting
• Prepare for Project Activities,
Timelines and Participants

*RMF publications covered in this training program include: DoDI 8500.01; CNSSI 1253, FIPS 199, FIPS 200; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.