RMF for DoD IT Crash Course

RMF for DoD IT Crash Course

RMF for DoD IT Crash Course Description

RMF for DoD IT crash course teaches you the in depth information about Risk Management Framework (RMF) for Department of Defense (DoD) Information Technology (IT).

TONEX as a leader in security industry for more than 15 years is now announcing the RMF for DoD IT training which helps you to understand recent transition from DoD Information Assurance Certification and Accreditation Process (DIACAP) to the RMF based on latest publications of DoD and Committee for National Security Systems (CNSS) as well as National Institute of Standards and Technology (NIST) and the Federal Information Security Management Act (FISMA).

Whether you are a part of an existing Authority to Operate (ATO) under old C&A process and need to shift to new RMF process, or new to DoD requirements for RMF, you need to understand the impacts of RMF on your information system, service or facility. Therefore, this training will teach you the main transition aspects or RMF and provides you with the step by step implementation procedure and standards.

TONEX has served the industry and academia with high quality conferences, seminars, workshops, and exclusively designed courses in cybersecurity area and is pleased to inform professional fellows about the recent in-depth training on RMF for DoD IT.

This course covers variety of topics in RMF area such as: introduction to information security and RMF, regulation, laws and policies of RMF, system development life cycle, RMF roles and responsibilities, introduction to FISMA, transition from C&A to RMF, and RMF life cycle process for DoD IT. Moreover, you will learn about managing information security risks, detailed information and special publications related to each phase of RMF, challenges in implementing RMF for DoD, and security control assessment requirements.

RMF for DoD IT training will help you to implement new changes into your information system regardless of your information system type and ensures to meet DoD and federal compliance requirements especially RMF, FIPS, FISMA, HIPAA, OMB, NIST and CNSS.

The RMF for DoD IT course by TONEX is interactive course with a lot of class discussions and exercises aiming to provide you a useful resource for RMF implementation to your information technology system.

If you are a government or DoD personnel and need to understand and implement new risk management framework for your IT system or validate your RMF skills, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of the RMF for DoD IT training and will prepare yourself for your career.

RMF for DoD IT training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle the entire related RMF challenges.

Audience

The RMF for DoD IT training is a 4-day course designed for:

• IT professionals in the area of cybersecurity
• DoD employees and contractors or service providers
• Government personnel working in cybersecurity area
• Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
• Employees of federal agencies and the intelligence community
• Assessors, assessment team members, auditors, inspectors or program managers of information technology area
• Any individual looking for information assurance implementation for a company based on recent policies
• Information system owners, information owners, business owners, and information system security managers

Training Objectives

Upon completion of the RMF for DoD IT training course, the attendees are able to:

• Understand the risk management framework for information technology systems
• Understand the IT system for DoD
• Differentiate the RMF for DoD and basic RMF for IT systems
• Relate each phase of the RMF process to NIST, DoD and CNSS special publications
• Understand the FISMA and NIST processes for authorizing federal IT systems
• Explain the step by step procedure to apply RMF in any DoD information technology organization
• Explain the step by step procedure to RMF
• Differentiate the traditional certification and accreditation (C&A) with RMF
• Understand different key roles in RMF with their responsibilities
• Recognize recent publications of NIST and FISMA regarding RMF
• Apply the step by step RMF procedure to real world application
• Tackle the problems of RMF in each phase of procedure

Training Outline

RMF for DoD IT training course consists of the following lessons, which can be revised and tailored to the client’s need:

Introduction to Information Security and Risk Management Framework (RMF)

• Risk Management Framework (RMF) Definition
• Purpose of RMF
• Components of Risk Management
• Importance of Risk Management
• Risk Management for Organizations
• Risk Management for Business processes
• Risk Management for Information System
• Concept of Trust and Trustworthiness in Risk Management
• Organizational Culture
• Key Risk Concepts and their Relationship
• Risk Management Process Tasks
• Risk Response Strategies

Regulation, Laws and Policies of RMF

• Orders of President of United States
• Office of Management and Budget (OMB)
• National Institute of Standards and Technology (NIST)
• Committee on National Security Systems (CNSS)
• Office of the Director of National Intelligence (ODNI)
• Department of Defense (DoD)
• Privacy Act of 1974
• Transmittal Memorandum No.4, OMB A-130
• Information Technology Management Reform Act of 1996
• Health Insurance Portability and Accountability
• Financial Services Modernization Act
• Guidance for Preparing and Submitting Security Plans of Action and Milestones, OMB M-02-01
• Federal Information Security Management Act (FISMA)
• HSPD 7
• Policy on Information Assurance Risk Management for National Security Systems (CNSSP)
• Security Categorization and Control Section for National Security Systems (CNSSI 1253)
• National Institute of Standards and Technology (NIST) Publications
• Federal Information Processing Standards (FIPS) and Special Publications
• FIPS 199
• FIPS 200
• NIST SP 800-37
• NIST 800-39
• NIST 800-60
• NIST 800-53/53A
• NIST 800-18/800-70/800-59
• DoDI 8510.01
• DoDI 8500.01
• CNSSI 1253
• CNSSI 1253A
• CNNS 4009

 System Development Life Cycle

• System Development Life Cycle (SDLC)
• Traditional SDLC
• Initiation
• Development/Acquisition
• Implementation/Assessment
• Operation and Maintenance
• Disposal
• Agile System Development

RMF Roles and Responsibilities

• Agency Head
• Risk Executive
• Chief Information Officer (CIO)
• Chief Information Security Officer(CISO)
• Senior Information Security Officer (SISO)
• Authorizing Official (AO)
• Delegated Authorizing Official (DAO)
• Security control Assessor
• Common Control Provider (CCP)
• Information Owner
• Mission/Business Owner (MBO)
• Information System Owner
• Information System Security Engineer (ISSE)
• Information System Security Manager (ISSM)
• Information System Security Officer (ISSO)
• Risk Analyst
• Executive Management
• User Representatives
• Information security Architect
• Security control Assessor
• Computer Incident Response (CIR) Team

 Introduction to FISMA

• FIMSA Compliance Overview
• FIMSA Trickles into the Private Sector
• FIMSA Compliance Methodologies
• NIST RMF
• DIACAP
• DoD RMF
• ICD 503 and DCID 6/3
• Understanding the FISMA Compliance Process
• Stablishing FIMSA Compliance Program
• Preparing the Hardware and Software Inventory
• Categorizing Data Sensitivity
• Addressing Security Awareness and Training
• Addressing Rules of Behavior
• Developing an Incident Response Plan
• Conducting Privacy Impact Assessment
• Preparing Business Impact Analysis
• Developing the Contingency Plan
• Developing a Configuration Management Plan
• Preparing the System Security Plan
• Performing the Business Risk Assessment
• Security Testing and Security Packaging
• FISMA for Clouds

Transition from C&A to RMF

• Certification and Accreditation (C&A) Process
• C&A Phases
• Initiation
• Certification
• Accreditation
• Monitoring
• RMF, a High Level View
• Transition and Differences
• Key Roles to Implement the RMF

RMF Life Cycle Process (NIST SP 800-37, DoDI 8510.01) for DoD IT

• Integrated Organization-Wide Risk Management
• System Development Life Cycle
• Information System Boundaries
• Security control Allocation
• RMF Step 1; Categorizing Information System
• RMF Step 2; Selecting Security Controls
• RMF Step 3; Implementing Security Control
• RMF Step 4; Assessing Security Controls
• RMF Step 5; Authorizing Information System
• RMF Step 6; Monitoring Security Control
• DoD Responsibilities
• DoD Chief Information Officer (CIO)
• Director, Defense Information System Agency (DISA)
• Acquisition, Technlogy and Logistics (AT&L)
• DASD
• DOT&E
• Director, National Security Agency/Chief, Central Security Service (DIRNSA/CHCSS)
• DoD Component Head
• RMF of IS and PIT Systems
• RMF for Products, Services and PIT
• RMF Governance
• Cybersecurity Reciprocity
• RMF Transition

Managing Information Security Risk (NIST SP 800-39)

• Components of Risk Management
• Multi-Tiered Risk Management
• Tier One; Organization view
• Tier Two; Mission/Business Process view
• Tier Three; Information System View and PIT
• Trust and Trustworthiness
• Organizational Culture
• Relationship Among Key Risk Concepts
• Risk Management Process
• Framing Risks
• Assessing Risks
• Responding to Risk
• Monitoring Risks

RMF Phase 1: Categorizing the Information system

• System Security Plan, NIST 800-18
• DoD IT Products, Services nad PIT, DoDI 8510-01
• Defining the Security Categorization, CNSSI-1253
• Determining Security Categorization based on the System’s Information Types
• Risk Impact Factors, CNSSI-1253 and NIST 800-53
• Information Required in Information System Description
• Information System Registration
• Accreditation Boundaries, NIST 800-18 and NIST 800-37
• Interconnecting Information Systems, NIST 800-47
• Registration, NIST 800-53
• Authorizing Official (AO)
• Common Control Providers
• Information Flow
• Hardware, Software and System Interfaces
• Static and Dynamic Information Systems
• Assigned Qualified Personnel, DoDD 8570.01 and DoDD 8140.01

RMF Phase 2: Selecting Security controls

• Dissecting Security Controls
• Control Selection, FIPS-200, NIST 800-53
• Control Enhancement Section
• Reference Section
• Priority and Baseline Allocation Section
• Common Control Identification
• Security Control Selection
• Developing a Monitoring Strategy
• Reviewing and Approving the System Security Plans (SSP)
• Tailoring Controls, CNSSI-1252 and NIST SP 800-53
• Specific, Common and Hybrid Controls, NIST 800-53 and CNSSI-1253 and Smaple SP
• Type Control Group Exercise
• Overlays, CNSSI-1253, NIST 800-53
• Approval and Registration, DoDI 8510.01
• Knowledge Services and eMASS

 RMF Phase 3: Implementing Security control

• Overview and Key Learning Points
• Security Control Implementation , NIST 800-53
• Security Control Documentation , NIST 800-18, and NIST 800-37
• Security content Automation Protocol (SCAP), NIST 800-115 and NIST 800-117
• Approved Configurations, Tests and Checklists, NIST 800-70, eMASS and IASE.mil

RMF Phase 4: Assessing Security Controls

• Security Control Assessment Plan
• Security control Assessment, NIST 800-37 and NIST 800-53
• Security Assessment Report
• Remediation Action
• Assessment and Testing Methods, NIST 800-53A, NIST 800-115
• Vulnerability Tools and Techniques, NIST 800-53A and NIST 800-115
• Developing Security Plan and Report, NIST 700-37
• Assess Security Control

RMF Phase 5: Authorizing the Information System

• Developing the Plan of Action and Milestones (POA&M), OMB M -01-01
• Security Authorization Packages, NIST 800-37 and DoDI 8510.01
• SSP, SAR and POA&M
• Authority to Operate (ATO)
• Type Authorization
• Contingency Strategies
• Group Contingency Deployment
• Platform Information Technology (PIT) Authorization
• Type of Weakness
• Responsible Organization for Resolving the Weakness
• Required Funding
• Key Milestones
• Assembly of the Authorization Package
• Determining Risk
• Accepting Risk

RMF Phase 6: Monitoring Security Control

• Monitoring Information Systems and Environment Changes
• Ongoing Security control Assessment
• Ongoing remediation Action
• Updating the Security Documentation
• Security Statues Reporting
• Ongoing Risk Determination and Acceptance
• System Removal and Decommissioning
• Information Security Continuous Monitoring (ISCM), NIST SP 800-137
• DoD RMF Schedule, Statues and Issues (DoD 8510.01)
• Patch and Vulnerability Management , NIST 800-40
• Cloud Computing- FedRAMP

RMF for DoD Implementation Challenges

• DoDI 8500.01
• DoDI 8510.01
• PM Guidebook for Integrating RMF into the System Acquisition Life Cycle
• Cybersecurity T&E Guidebook
• RMF Implementation Challenges
• Design Considerations
• RMF and DoD Acquisition Life Cycle
• Operational Controls
• NIST Security Controls
• Technical controls
• Automated Security Control
• Management Control

Security control Assessment Requirements

• NIST SP 800-53A Assessment Methods
• Security Control Baseline Categorization
• CNSSI 1253 Baseline Categorization
• New Controls Planned in Recent Revision
• FedRAMP Controls
• SP 800-53 Security Controls to HIPAA Security Rule
• PCI DSS Standards
• Security Assessment Report (SAR)

Hands On, Workshops, and Group Activities

• Labs
• Workshops
• Group Activities

Sample Workshops and Labs for RMF for DoD IT Training

• Categorizing the Information system Based on the Information Type using NIST SP 800-60
• Determining the Security Category for Confidentiality, Availability, and Integrity of the System
• Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
• RMF Phase 3 Case Study, Resolving the Control Planning Issues
• Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
• Developing Plan of Action and Milestones (POA&M)
• RMF Monitoring Phase; Assessing the Controls based on Schedule

RMF for DoD IT Crash Course