Who should attend?

The RMF for Federal Agencies training program is suitable for employees and contractors of federal “civil” agencies and the intelligence community, as well as their supporting vendors and service providers. Managers and others who wish to gain high-level knowledge of RMF should attend RMF for Federal Agencies – Fundamentals (one day). Those who wish to gain detailed implementation knowledge of RMF and NIST Security Controls should attend both RMF for Federal Agencies –
Fundamentals and RMF for Federal Agencies – In Depth (total of four days).

RMF for Federal Agencies – Fundamentals (One-Day Course)

• Introduction and Logistics
• Information Security and Risk Management Foundation
• Understanding FISMA
• FIPS and NIST Special Pubs
• Risk Management Evolves (NIST SP 800-37, 800-39)
• Introduction to the RMF Life Cycle
• Key Roles in the RMF
• RMF Documentation
• Introduction to Security Controls
• Supporting Resources
• Course Summary
• Course Evaluation

RMF for Federal Agencies – In Depth (Three-Day Course)

Day 1

• Introduction and Logistics
• Foundations of Information Security and Risk Management
• Exercise 1 – Security Brainstorming
• Roles and Responsibilities
• Exercise 2 – Roles/Responsibilities
• RMF Life Cycle Process (NIST SP 800-37)
• “Step 0” – Preparing for RMF
• Exercise 3 – System Boundary
• Step 1 – Categorize (FIPS 199, NIST SP 800-60)
• Exercise 4 – System Categorization
• Step 2 – Select (FIPS 200, NIST SP 800-53)
• Step 3 – Implement
• Step 4 – Assess

Day 2

• Step 5 – Authorize
• Step 6 – Monitor (NIST SP 800-137)
• Exercise 5 – RMF Life Cycle
• RMF Challenges
• RMF Documentation
• System Security Plan
• Security Assessment Report
• Plan of Action and Milestones (POA&M)
• Supporting Documentation (Artifacts)
• Exercise 6 – RMF Documentation
• NIST Security Controls
• Management Controls
• Operational Controls

Day 3

• Technical Controls
• Exercise 7 – “Dissecting” a Security Control
• Security Controls Assessment (NIST SP 800-53A)
• Exercise 8 – Security Control Assessment
• RMF Resources
• Automated Security Tools
• Exercise 9 – Security Testing T
• Practical Guidance
• Exercise 10 – RMF Project Plan Case Study
• Course Summary
• Course Evaluation
• RMF “Jeopardy”