Price: $1,799.00

Length: 2 Days
Print Friendly, PDF & Email

RMF Training,  Introduction to Risk Management Framework (RMF)

RMF Training, Introduction to Risk Management Framework (RMF) offered by TONEX. Learn about DoD Information Technology in-depth DoD RMF basics. TONEX offers a series of  Risk Management Framework (RMF)  for DoD Information Technology in-depth DoD RMF basics.

Introduction to RMF training teaches you the concepts and principles of risk management framework (RMF) which is a replacement to the traditional cybersecurity risk management framework methodology, DIACAP.

RMF training course covers variety of topics in RMF area such as: basics of RMF, RMF laws, RMF regulations, introduction to FISMA, updated FISMA regulations, RMF roles and responsibilities, FIPS and NIST publications.  Moreover, you will be introduced to step by step procedure for RMF, system development life cycle (SDLC), transition from certification and accreditation (C&A) to RMF, RMF expansion, security control assessment requirements and RMF for information technology.

RMF training course helps you to implement the risk management framework for your IT system based on recent updates on DoD, NIST and FISMA publications. The introduction to RMF training compares different aspects of traditional C&A with RMF for categorizing information systems, selecting and implementing security control, and establishing monitoring process.

Learn about the different roles and responsibilities in RMF which helps you to understand different aspects of RMF and look for the right person in case of vulnerabilities.

By taking introduction to RMF, you will follow the recent requirements of FISMA for mobile devices, security incident reporting, and protecting the agency information.

The introduction to RMF training by TONEX is interactive course with a lot of class discussions and exercises aiming to provide you a useful resource for RMF implementation to your information technology system.

If you are a government or contractor personnel and need to understand and implement new risk management framework or validate your RMF skills, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of the introduction to RMF training and will prepare yourself for your career.

Our instructors at TONEX will help you to master all the RMF process design/implementation techniques by introducing the comprehensive step by step RMF training.

Introduction to RMF training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle the entire related RMF challenges.

rmf training


The introduction to RMF training is a 2-day course designed for:

  • IT professionals in the area of cybersecurity
  • DoD employees and contractors or service providers
  • Government personnel working in cybersecurity area
  • Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
  • Employees of federal agencies and the intelligence community
  • Assessors, assessment team members, auditors, inspectors or program managers of information technology area
  • Any individual looking for information assurance implementation for a company based on recent policies
  • Information system owners, information owners, business owners, and information system security managers

Training Objectives

Upon completion of the introduction to RMF training course, the attendees are able to:

  • Understand the risk management framework and risk management and assessment for information technology systems
  • Apply cost-effective security controls based on risk and best practices on assessment and analysis
  • Understand the RMF/FISMA/NIST processes for authorizing federal IT systems and authorization process
  • Explain RMF step by step procedures
  • Differentiate the traditional certification and accreditation (C&A) with RMF
  • Understand different key roles in RMF with their responsibilities
  • Recognize recent publications of NIST and FISMA regarding RMF and select, implement, and assess security controls
  • Apply the step by step RMF procedure to real world application, and ways to monitor security controls
  • Tackle the problems of RMF in each phase of procedure

Training Outline

Introduction to RMF training course consists of the following lessons, which can be revised and tailored to the client’s need:

Information Security and Risk Management Framework (RMF) Foundation

  • Purpose of RMF
  • Components of Risk Management
  • Importance of Risk Management
  • Risk Management for Organizations
  • Risk Management for Business processes
  • Risk Management for Information System
  • Concept of Trust and Trustworthiness in Risk Management
  • Organizational Culture
  • Key Risk Concepts and their Relationship
  • Framing Risks
  • Assessing Risk
  • Risk Assessment Steps
  • Responding to Risk
  • Mitigating Risks
  • Monitoring the Risk
  • Risk Management Process Tasks
  • Risk Response Strategies

RMF Laws, Regulations and Guidance

  • Office of Management and Budget (OMB) Laws
  • National Institute of Standards and Technology (NIST) Publications
  • Committee and National Security Systems (CNSS)
  • Office of the Director National Intelligence (ODNI)
  • Department of Defense (DoD)
  • Privacy Act of 1974 (Updated in 2004)
  • Transmittal Memorandum, OMB A-130
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Financial Service Modernization
  • OMB M-00-13
  • Critical Infrastructure Protection
  • Federal Information Security Management (FISM)
  • HSPD 7
  • Policy on Information Assurance Risk Management for National Security Systems (CNSSP)
  • Security Categorization and Control Selection for National Security Systems (CNSSI)

Introduction to FISMA

  • FIMSA Compliance Overview
  • FIMSA Trickles into the Private Sector
  • FIMSA Compliance Methodologies
  • DoD RMF
  • ICD 503 and DCID 6/3
  • Understanding the FISMA Compliance Process
  • Stablishing FIMSA Compliance Program
  • Preparing the Hardware and Software Inventory
  • Categorizing Data Sensitivity
  • Addressing Security Awareness and Training
  • Addressing Rules of Behavior
  • Developing an Incident Response Plan
  • Conducting Privacy Impact Assessment
  • Preparing Business Impact Analysis
  • Developing the Contingency Plan
  • Developing a Configuration Management Plan
  • Preparing the System Security Plan
  • Performing the Business Risk Assessment
  • Security Testing and Security Packaging
  • FISMA for Clouds

New Requirements under FISMA 2015

  • Continuous Diagnostics and Mitigation (CDM) Program
  • FISMA Metrics
  • Federal Government Programs Designed to Combat Growing Threats
  • Cybersecurity 2015 Cross Agency Priority (CAP) Goal
  • Formalized Process for Proactive Scans of Public Facing Agency Networks
  • DHS US-CERT Incident Notification Guidelines
  • Information Security Program Oversight Requirements
  • Privacy Management Guidance
  • Mobile Devices
  • Security Incident Reporting
  • Protection of Agency Information
  • Ongoing Authorization

Risk Management Framework Steps

  • Categorizing
  • Selection
  • Implementation
  • Assessing
  • Authorizing
  • Monitoring

System Development Life Cycle (SDLC)

  • Initiation
  • Development/Acquisition
  • Implementation/Assessment
  • Operation and Maintenance
  • Disposal

Transition from C&A to RMF

  • Certification and Accreditation (C&A) Process
  • C&A Phases
  • Initiation
  • Certification
  • Accreditation
  • Monitoring
  • RMF, a High Level View
  • Transition and Differences
  • Key Roles to Implement the RMF

Expansion of the RMF

  • Implementation of the RMF in the Intelligence Community
  • Implementation of the RMF in DoD
  • Implementation of the RMF in the Private Sector
  • Future Updates to the RMF Process
  • Using the RMF with Other Control Sets
  • FedRAMP
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry (PCI)
  • Other Standards used with RMF

Security Control Assessment Requirements

  • NIST SP 800-53A Assessment Methods
  • Security Control Baseline Categorization
  • CNSSI 1253 Baseline Categorization
  • New Controls Planned in Recent Revision
  • FedRAMP Controls
  • SP 800-53 Security Controls to HIPAA Security Rule
  • PCI DSS Standards

RMF for IT

  • IT and RMF Process
  • Enterprise-wide IT Governance authorization of IT Systems and Services
  • Risk Based Approach Instead of Check Lists
  • DT&E and OT&E Integration
  • RMF Embedded in Acquisition Lifecycle
  • Continuous Monitoring and Timely Correction of Deficiencies
  • Automated Tools
  • Cybersecurity Implementation via Security controls
  • Reciprocity Application

Optional Modules and Activities:

Hands On, Workshops and Group Activities

  • Labs
  • Workshops
  • Group Activities

Workshops and Labs for Introduction to RMF Training

  • Categorizing the Information system Based on the Information Type using NIST SP 8-060
  • Determining the Security Category for Confidentiality, Availability, and Integrity of the System
  • Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
  • RMF Phase 3 Case Study, Resolving the Control Planning Issues
  • Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
  • Developing Plan of Action and Milestones (POA&M)
  • RMF Monitoring Phase; Assessing the Controls based on Schedule

Key Standards and Guidelines

  • ƒ FIPS Publication 1(Security Categorization)
  • ƒ FIPS Publication 200 (Minimum Security Controls)
  • ƒ NIST Special Publication 800-18 (Security Planning)
  • ƒ NIST Special Publication 800-30 (Risk Assessment)
  • ƒ NIST Special Publication 800-37 (System Risk Management Framework)
  • ƒ NIST Special Publication 800-3(Enterprise-Wide Risk Management)
  • ƒ NIST Special Publication 800-53 (Recommended Security Controls)
  • ƒ NIST Special Publication 800-53A (Security Control Assessment)
  • ƒ NIST Special Publication 800-5(National Security Systems)
  • ƒ NIST Special Publication 800-60 (Security Category Mapping)

FIPS and NIST Special Publications (PUBS)

  • General Information
  • FIPS Changes and Announcements
  • FIPS Standards
  • FIPS PUB 140-2; Security Requirements for Cryptographic Modules
  • FIPS PUB 180-4; Secure Hash Standard (SHS)
  • FIPS PUB 186-4; Digital Signature Standard (DSS)
  • FIPS PUB 197; Advanced Encryption Standard (AES)
  • FIPS PUB 198-1; Keyed Hash Message Authorization code (HMAC)
  • FIPS PUB 199; Standards for Security Categorization of Federal Information and Information Systems
  • FIPS PUB 200; Minimum Security Requirements for Federal Information and Information systems
  • FIPS PUB 201-2; Personal Identity Verification (PIV)
  • FIPS PUB 202; SHA-3 Standard

Creating RMF Roles and Responsibilities

  • Agency Head
  • Risk Executive
  • Chief Information Officer (CIO)
  • Chief Information Security Officer(CISO)
  • Senior Information Security Officer (SISO)
  • Authorizing Official (AO)
  • Delegated Authorizing Official (DAO)
  • Security control Assessor
  • Common Control Provider (CCP)
  • Information Owner
  • Mission/Business Owner (MBO)
  • Information System Owner
  • Information System Security Engineer (ISSE)
  • Information System Security Manager (ISSM)
  • Information System Security Officer (ISSO)
  • Risk Analyst
  • Executive Management
  • User Representatives
  • Information security Architect
  • Security control Assessor
  • Computer Incident Response (CIR) Team

Request More Information

Please enter contact information followed by your questions, comments and/or request(s):
  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.