Introduction to Risk Management Framework Training

Print Friendly, PDF & Email
Introduction

Introduction to Risk Management Framework Training | RMF Training Course Hands-on

Introduction to Risk Management Framework Training - RMF Training offered by ENO. Learn about DoD Information Technology in-depth DoD RMF basics. ENO offers a series of Risk Management Framework (RMF) for DoD Information Technology in-depth DoD RMF basics.

Introduction to Risk Management Framework Training - RMF Training teaches you the concepts and principles of risk management framework (RMF) which is a replacement to the traditional cybersecurity risk management framework methodology, DIACAP. RMF training course covers variety of topics in RMF area such as: basics of RMF, RMF laws, RMF regulations, introduction to FISMA, updated FISMA regulations, RMF roles and responsibilities, FIPS and NIST publications. Moreover, you will be introduced to step by step procedure for RMF, system development life cycle (SDLC), transition from certification and accreditation (C&A) to RMF, RMF expansion, security control assessment requirements and RMF for information technology.

Introduction to Risk Management Framework Training - RMF Training course helps you to implement the risk management framework for your IT system based on recent updates on DoD, NIST and FISMA publications. The Introduction to Risk Management Framework Training - RMF Training compares different aspects of traditional C&A with RMF for categorizing information systems, selecting and implementing security control, and establishing monitoring process. Learn about the different roles and responsibilities in RMF which helps you to understand different aspects of RMF and look for the right person in case of vulnerabilities.

By taking introduction to RMF, you will follow the recent requirements of FISMA for mobile devices, security incident reporting, and protecting the agency information. The Introduction to Risk Management Framework Training - RMF Training is interactive course with a lot of class discussions and exercises aiming to provide you a useful resource for RMF implementation to your information technology system.

If you are a government or contractor personnel and need to understand and implement new risk management framework or validate your RMF skills, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of the introduction to RMF training and will prepare yourself for your career.

Duration: 3 days

Introduction to Risk Management Framework Training - RMF Training
 

Introduction to Risk Management Framework Training - RMF TrainingRelated Courses
 

Customize It:

• If you are familiar with some aspects of Introduction to Risk Management Framework Training - RMF Training course, we can omit or shorten their discussion.
• We can adjust the emphasis placed on the various topics or build the Introduction to Risk Management Framework Training - RMF Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
• If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Introduction to Risk Management Framework Training - RMF Training course in manner understandable to lay audiences.

Audience / Target Group:

The target audience for this Introduction to Risk Management Framework Training - RMF Training course is defined here:

• IT professionals in the area of cybersecurity
• DoD employees and contractors or service providers
• Government personnel working in cybersecurity area
• Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
• Employees of federal agencies and the intelligence community
• Assessors, assessment team members, auditors, inspectors or program managers of information technology area
• Any individual looking for information assurance implementation for a company based on recent policies
• Information system owners, information owners, business owners, and information system security managers

Objectives:

After completing this Introduction to Risk Management Framework Training - RMF Training course, attendees will be able to:

• Understand the risk management framework and risk management and assessment for information technology systems
• Apply cost-effective security controls based on risk and best practices on assessment and analysis
• Understand the RMF/FISMA/NIST processes for authorizing federal IT systems and authorization process
• Explain RMF step by step procedures
• Differentiate the traditional certification and accreditation (C&A) with RMF
• Understand different key roles in RMF with their responsibilities
• Recognize recent publications of NIST and FISMA regarding RMF and select, implement, and assess security controls
• Apply the step by step RMF procedure to real world application, and ways to monitor security controls
• Tackle the problems of RMF in each phase of procedure

Introduction to Risk Management Framework Training - RMF Training - Course Syllabus:

Information Security and Risk Management Framework (RMF) Foundation

Purpose of RMF
Components of Risk Management
Importance of Risk Management
Risk Management for Organizations
Risk Management for Business processes
Risk Management for Information System
Concept of Trust and Trustworthiness in Risk Management
Organizational Culture
Key Risk Concepts and their Relationship
Framing Risks
Assessing Risk
Risk Assessment Steps
Responding to Risk
Mitigating Risks
Monitoring the Risk
Risk Management Process Tasks
Risk Response Strategies

RMF Laws, Regulations and Guidance

Office of Management and Budget (OMB) Laws
National Institute of Standards and Technology (NIST) Publications
Committee and National Security Systems (CNSS)
Office of the Director National Intelligence (ODNI)
Department of Defense (DoD)
Privacy Act of 1974 (Updated in 2004)
Transmittal Memorandum, OMB A-130
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Financial Service Modernization
OMB M-00-13
Critical Infrastructure Protection
Federal Information Security Management (FISM)
HSPD 7
Policy on Information Assurance Risk Management for National Security Systems (CNSSP)
Security Categorization and Control Selection for National Security Systems (CNSSI)

Introduction to FISMA

FIMSA Compliance Overview
FIMSA Trickles into the Private Sector
FIMSA Compliance Methodologies
NIST RMF
DIACAP
DoD RMF
ICD 503 and DCID 6/3
Understanding the FISMA Compliance Process
Stablishing FIMSA Compliance Program
Preparing the Hardware and Software Inventory
Categorizing Data Sensitivity
Addressing Security Awareness and Training
Addressing Rules of Behavior
Developing an Incident Response Plan
Conducting Privacy Impact Assessment
Preparing Business Impact Analysis
Developing the Contingency Plan
Developing a Configuration Management Plan
Preparing the System Security Plan
Performing the Business Risk Assessment
Security Testing and Security Packaging
FISMA for Clouds

New Requirements under FISMA 2015

Continuous Diagnostics and Mitigation (CDM) Program
FISMA Metrics
Federal Government Programs Designed to Combat Growing Threats
Cybersecurity 2015 Cross Agency Priority (CAP) Goal
Formalized Process for Proactive Scans of Public Facing Agency Networks
DHS US-CERT Incident Notification Guidelines
Information Security Program Oversight Requirements
Privacy Management Guidance
Mobile Devices
Security Incident Reporting
Protection of Agency Information
Ongoing Authorization

Risk Management Framework Steps

Categorizing
Selection
Implementation
Assessing
Authorizing
Monitoring

System Development Life Cycle (SDLC)

Initiation
Development/Acquisition
Implementation/Assessment
Operation and Maintenance
Disposal

Transition from C&A to RMF

Certification and Accreditation (C&A) Process
C&A Phases
Initiation
Certification
Accreditation
Monitoring
RMF, a High Level View
Transition and Differences
Key Roles to Implement the RMF

Expansion of the RMF

Implementation of the RMF in the Intelligence Community
Implementation of the RMF in DoD
Implementation of the RMF in the Private Sector
Future Updates to the RMF Process
Using the RMF with Other Control Sets
FedRAMP
The Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry (PCI)
Other Standards used with RMF

Security Control Assessment Requirements

NIST SP 800-53A Assessment Methods
Security Control Baseline Categorization
CNSSI 1253 Baseline Categorization
New Controls Planned in Recent Revision
FedRAMP Controls
SP 800-53 Security Controls to HIPAA Security Rule
PCI DSS Standards

RMF for IT

NIST RMF
IT and RMF Process
Enterprise-wide IT Governance authorization of IT Systems and Services
Risk Based Approach Instead of Check Lists
DT&E and OT&E Integration
RMF Embedded in Acquisition Lifecycle
Continuous Monitoring and Timely Correction of Deficiencies
Automated Tools
Cybersecurity Implementation via Security controls
Reciprocity Application

Optional Modules and Activities:

Hands On, Workshops and Group Activities

Labs
Workshops
Group Activities

Workshops and Labs for Introduction to RMF Training

Categorizing the Information system Based on the Information Type using NIST SP 8-060
Determining the Security Category for Confidentiality, Availability, and Integrity of the System
Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
RMF Phase 3 Case Study, Resolving the Control Planning Issues
Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
Developing Plan of Action and Milestones (POA&M)
RMF Monitoring Phase; Assessing the Controls based on Schedule

Key Standards and Guidelines

FIPS Publication 1(Security Categorization)
FIPS Publication 200 (Minimum Security Controls)
NIST Special Publication 800-18 (Security Planning)
NIST Special Publication 800-30 (Risk Assessment)
NIST Special Publication 800-37 (System Risk Management Framework)
NIST Special Publication 800-3(Enterprise-Wide Risk Management)
NIST Special Publication 800-53 (Recommended Security Controls)
NIST Special Publication 800-53A (Security Control Assessment)
NIST Special Publication 800-5(National Security Systems)
NIST Special Publication 800-60 (Security Category Mapping)

FIPS and NIST Special Publications (PUBS)

General Information
FIPS Changes and Announcements
FIPS Standards
FIPS PUB 140-2; Security Requirements for Cryptographic Modules
FIPS PUB 180-4; Secure Hash Standard (SHS)
FIPS PUB 186-4; Digital Signature Standard (DSS)
FIPS PUB 197; Advanced Encryption Standard (AES)
FIPS PUB 198-1; Keyed Hash Message Authorization code (HMAC)
FIPS PUB 199; Standards for Security Categorization of Federal Information and Information Systems
FIPS PUB 200; Minimum Security Requirements for Federal Information and Information systems
FIPS PUB 201-2; Personal Identity Verification (PIV)
FIPS PUB 202; SHA-3 Standard

Creating RMF Roles and Responsibilities

Agency Head
Risk Executive
Chief Information Officer (CIO)
Chief Information Security Officer(CISO)
Senior Information Security Officer (SISO)
Authorizing Official (AO)
Delegated Authorizing Official (DAO)
Security control Assessor
Common Control Provider (CCP)
Information Owner
Mission/Business Owner (MBO)
Information System Owner
Information System Security Engineer (ISSE)
Information System Security Manager (ISSM)
Information System Security Officer (ISSO)
Risk Analyst
Executive Management
User Representatives
Information security Architect
Security control Assessor
Computer Incident Response (CIR) Team

Whether you are looking for general information or have a specific question, we want to help!

Request More Information

Time Frame: 0-3 Months4-12 Months

No Comments Yet.

Leave a comment

0