Print Friendly, PDF & Email

Risk Management Framework Training, RMF Training

Risk Management Framework Training, RMF Training, For complete Risk Management Framework Training Course Agenda CLICK HERE.

Risk Management Framework (RMF) was developed by the National Institute for Standards and Technology (NIST) to assist government organizations managing risks to and from Information Technology (IT) systems more easily, efficiently and effectively.

Risk Management Framework (RMF) training course describes the steps of establishing an organization-wide risk management and assessment program tied to the information security applied to organizational risk management.

TONEX  provides Cybersecurity training and Information System Security Engineering (ISSE), Department of Defense (DoD) and Federal Certification & Accreditation (C&A), Research, Development, Test and Evaluation (RDT&E), and Rapid Technology Training and Transition services.

Security controls for an information system is accomplished as part of an organization-wide information security program. Security control involves the management of organizational risk, a key element in the organization’s information security program. Risk Management Framework (as a Risk-Based Approach)  provides an effective framework for selecting the appropriate security controls for an information system.

Learn how  risk-based approach to security control needs:  effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.

Risk Management Framework activities and steps related to managing organizational risk are main principals to proceed with an  effective information security program part of a Federal Enterprise Architecture:

Risk Management Framework (RMF) Training Objectives

Upon completion of Risk Management Framework (RMF) Training, the attendees will learn about:

  • Key activities in managing enterprise-level risk
  • Evaluating risk resulting from the operation of an information system
  • Categorizing the information system
  • Selecting set of minimum (baseline) security controls
  • Refining the security control set based on risk assessment
  • Documenting and modeling security controls in system security plan
  • Implementing the security controls in the information system
  • Assessing the security controls
  • Determining agency-level risk and risk acceptability
  • Authorizing information system operation
  • Monitoring security controls on a continuous basis

Introduction to Risk Management Framework

  • Categorize the information system
  • Select baseline security controls
  • Implement the security controls
  • Assess the security controls
  • Authorize information system operation
  • Monitor security controls
  • Risk Assessment Framework (RMF) Process Steps include the following functions:
  • Assessment of information system, risks, and environment of operation
  • Information system and the decision about a risk if acceptable
  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis .
  • Selection of an initial set of baseline security controls
  • Security categorization tailoring and supplementing the security control baseline
  • Organization assessment of risk and local conditions
  • Security controls implementation and documentation of how the controls are deployed
  • Security controls assessment using procedures
  • How controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
  • Information system operation authorization
  • Determination of the risk to organizational operations and assets, individuals, other organizations and the Nation
  • Monitoring and assessment security controls in the information system on an ongoing basis
  • Assessment of security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system

risk management framework training

Overview of Information Security Program

  • Adversaries attack the weakest link
  • Vulnerabilities assessment
  • Risk assessment
  • Security planning
  • Security policies and procedures
  • Contingency planning
  • Incident response planning
  • Security awareness and training
  • Physical security
  • Personnel security
  • Certification, accreditation, and
  • security assessments
  • Access control mechanisms
  • Identification & authentication mechanisms
  • Biometrics, tokens, and passwords
  • Audit mechanisms
  • Encryption mechanisms
  • Firewalls and network security mechanisms
  • Intrusion detection systems
  • Security configuration settings
  • Anti-viral software
  • Smart cards

The RMF categorization steps will consider and include:

  • Legislation, policies, directives, regulations, standards, and organizational mission/business/operational requirements, facilitates the identification of security requirements.
  • FIPS 199 security categorization guidance CNSS Instruction 1253  guidance for national security systems
  • NIST Special Publication 800-53  security control selection guidance
  • NIST Special Publication 800-53A  control assessment procedures for security controls NIST Security Controls: NIST Special Publication 800-53
  • NIST Special Publication 800-37 Revision 1  guidance on authorizing information system to operate
  • NIST Special Publication 800-37 Revision 1 guidance on monitoring the security controls in the environment of operation, the ongoing risk determination and acceptance, and the approved information system authorization to operated status

Categorize Information and Information System

  • SP 800-18, SP 800-37: System Security Plan
  • DoDI 8510.01
  • CNSSI-1243, FIPS 199, and S800-60
    • CNSSI- 1253 and SP800-53
    • CNSSI-1253 and SP800-53
  • SP 800-18 and SP 800-37
  • SP 800-47
  • SP 800-53
  • DoDD 8570.01 and DoDD 8140.01

Security Controls

  • SP 800-53, CNSSI-1253
  • CNSSI-1253, SP 800-53
  • CNSSI-1253, FIPS-200, and SP 800-53
  • CNSSI-1252 and SP 800-53
  • SP800-53
  • SP 800-53
  • SP 800-37
  • DoDI 8510.01

Implement Security Controls

  • SP 800-53
  • SP800-18 and SP800-37
  • SP 800-70, eMASS and
  • SP800-115 and SP800-117

Assess Security Controls

  • SP 800-53A and SP 800-115
  • SP 800-53A and SP 800-115
  • SP 700-37 and Sample SAR
  • SP 800-37 and DoDI 8510.01
  • SP800-53A and SP800-115
  • SP800-37 and SP800-53

Authorize Information System

  • DoDI 8510.01
  • OMB M-01-01 and Sample POA&M
  • SP 800-37 and DoDI 8510.01
    • SSP, SAR, and POA&M
  • SP 800-37 and DoDI 8510-01
  • DoDI 8510.01
    • Contingency Deployment Group Exercises

Monitor Security Controls

  • SP 800-137 and  HBSS
  • SP 800-40
  • FedRAMP, FedRAMP+, SP800-53, and SRG
  • DoDI 8510.01


Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.