Who should attend?

The RMF for Federal Agencies training program is suitable for employees and contractors of federal “civil” agencies and the intelligence community, as well as their supporting vendors and service providers.  The full four-day program is recommended for most students.  Managers and others who need only high-level knowledge of RMF have the option of attending just the RMF for Federal Agencies Fundamentals (one day).

RMF for Federal Agencies – Fundamentals (Day 1)

  • Getting Started
  • Policy Background: FISMA, OMB A-130, NIST Publications (FIPS and SP) CNSS
  • Introduction to RMF
  • Roles and Responsibilities
  • RMF Life Cycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
  • RMF Documentation
  • Security Controls and Assessment Procedures
  • RMF Resources

RMF for Federal Agencies – In Depth (Days 2-4)

INSTRUCTIONAL UNITS

CLASS ACTIVITY HIGHLIGHTS

  • Getting Started
    • Course Information
    • Primary Resources
  • Step 1: Categorize
    • Categorize the System
    • Describe the System and Boundary
    • Conduct a Basic Risk Assessment
    • Register the System
  • Step 2: Select
    • RMF Security Control Overview
    • Analyze Security Controls
    • Select the Control Baseline
    • Tailor the Control Baseline
    • Planning for Continuous Monitoring
  • Step 3: Implement
    • Implement Control Solutions
    • Document Security Control Implementation
    • STIGs and Automated Tools
  • Step 4: Assess
    • Identify Security Control Assessment Team
    • Prepare for the Security Assessment
    • Security Control Assessment Procedures
  • Step 5: Authorize
    • Types of Authorizations
    • Authorization Decisions
    • Security Authorization Package
    • Documentation
  • Step 6: Monitor
    • ISCM Strategy Considerations
    • Automated Tools
    • System Decommissioning and Removal
  • Project Planning
    • Preparing for Success
    • System Acquisition
    • Knowledge Service
    • Informal Risk Assessment
    • Propose a Boundary
    • Categorize the system
    • Identify Security Control Requirements
    • Allocate Security Controls
    • Identify Applicable Overlays
    • Write Justification Statements for Non-Applicable Controls
    • Propose Criteria and Frequencies for Continuous Monitoring
    • Write Control Implementation Statements
    • Identify Security Control Assessment Methods
    • Transition Plan
      • Identify Stakeholders
      • Prepare for Project Kick-off Meeting
      • Prepare for Project Activities, Timelines, and Participants

RMF Publications covered in this training include: FIPS 199, 200; CNSSI 1253; NIST SP 800-18, 800-30, 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, 800-137 and more.