RMF Training | Introduction to Risk Management Framework

RMF Training, Introduction to Risk Management Framework (RMF)

Though the risk management framework (RMF) is primarily a requirement for businesses working with the US Government, implementing an effective risk management system can benefit any companies.

The ultimate goal of working toward RMF compliance is the creation of a data and asset governance system that will provide full-spectrum protection against all the cyber risks you face, such as asset protection.

An effective risk management framework will prioritize understanding the risks that your business faces to take the necessary steps to protect your assets and your business. 

An effective risk management framework can also help companies quickly analyze gaps in enterprise-level controls and develop a roadmap to reduce or avoid reputational risks.

The adoption of a risk management framework (RMF) that embeds best practices into the firm’s risk culture can be the cornerstone of an organizations’ financial future.

Effective risk management plays a crucial role in any company’s pursuit of financial stability and superior performance.

The first step in identifying the risks a company faces is to define the risk universe. The risk universe is simply a list of all possible risks. Examples include IT risk, operational risk, regulatory risk, legal risk, political risk, strategic risk, and credit risk.

After listing all possible risks, the company can then select the risks to which it is exposed and categorize them into core and non-core risks. Core risks are those that the company must take in order to drive performance and long-term growth. Non-core risks are often not essential and can be minimized or eliminated completely.

Risk measurement is another element of RMF. Risk measurement provides information on the quantum of either a specific risk exposure or an aggregate risk exposure and the probability of a loss occurring due to those exposures.

When measuring specific risk exposure it is important to consider the effect of that risk on the overall risk profile of the organization.

Some risks may provide diversification benefits while others may not. Another important consideration is the ability to measure an exposure. Some risks may be easier to measure than others.

Introduction to Risk Management Framework (RMF) Course by Tonex

RMF Training, Introduction to Risk Management Framework (RMF) offered by Tonex. Learn about DoD Information Technology in-depth DoD RMF basics. Tonex offers a series of  Risk Management Framework (RMF)  for DoD Information Technology in-depth DoD RMF basics.

Introduction to RMF training teaches you the concepts and principles of risk management framework (RMF) which is a replacement to the traditional cybersecurity risk management framework methodology, DIACAP.

RMF training course covers variety of topics in RMF area such as: basics of RMF, RMF laws, RMF regulations, introduction to FISMA, updated FISMA regulations, RMF roles and responsibilities, FIPS and NIST publications.  Moreover, you will be introduced to step by step procedure for RMF, system development life cycle (SDLC), transition from certification and accreditation (C&A) to RMF, RMF expansion, security control assessment requirements and RMF for information technology.

RMF training course helps you to implement the risk management framework for your IT system based on recent updates on DoD, NIST and FISMA publications. The introduction to RMF training compares different aspects of traditional C&A with RMF for categorizing information systems, selecting and implementing security control, and establishing monitoring process.

Learn about the different roles and responsibilities in RMF which helps you to understand different aspects of RMF and look for the right person in case of vulnerabilities.

By taking introduction to RMF, you will follow the recent requirements of FISMA for mobile devices, security incident reporting, and protecting the agency information.

The introduction to RMF training by Tonex is interactive course with a lot of class discussions and exercises aiming to provide you a useful resource for RMF implementation to your information technology system.

If you are a government or contractor personnel and need to understand and implement new risk management framework or validate your RMF skills, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of the introduction to RMF training and will prepare yourself for your career.

Our instructors at Tonex will help you to master all the RMF process design/implementation techniques by introducing the comprehensive step by step RMF training.

Introduction to RMF training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle the entire related RMF challenges.

Audience

The introduction to RMF training is a 2-day course designed for:

• IT professionals in the area of cybersecurity
• DoD employees and contractors or service providers
• Government personnel working in cybersecurity area
• Authorizing official representatives, chief information officers, senior information assurance officers, information system owners or certifying authorities
• Employees of federal agencies and the intelligence community
• Assessors, assessment team members, auditors, inspectors or program managers of information technology area
• Any individual looking for information assurance implementation for a company based on recent policies
• Information system owners, information owners, business owners, and information system security managers

Training Objectives

Upon completion of the introduction to RMF training course, the attendees are able to:

• Understand the risk management framework and risk management and assessment for information technology systems
• Apply cost-effective security controls based on risk and best practices on assessment and analysis
• Understand the RMF/FISMA/NIST processes for authorizing federal IT systems and authorization process
• Explain RMF step by step procedures
• Differentiate the traditional certification and accreditation (C&A) with RMF
• Understand different key roles in RMF with their responsibilities
• Recognize recent publications of NIST and FISMA regarding RMF and select, implement, and assess security controls
• Apply the step by step RMF procedure to real world application, and ways to monitor security controls
• Tackle the problems of RMF in each phase of procedure

Training Outline

Introduction to RMF training course consists of the following lessons, which can be revised and tailored to the client’s need:

Information Security and Risk Management Framework (RMF) Foundation

• Purpose of RMF
• Components of Risk Management
• Importance of Risk Management
• Risk Management for Organizations
• Risk Management for Business processes
• Risk Management for Information System
• Concept of Trust and Trustworthiness in Risk Management
• Organizational Culture
• Key Risk Concepts and their Relationship
• Framing Risks
• Assessing Risk
• Risk Assessment Steps
• Responding to Risk
• Mitigating Risks
• Monitoring the Risk
• Risk Management Process Tasks
• Risk Response Strategies

RMF Laws, Regulations and Guidance

• Office of Management and Budget (OMB) Laws
• National Institute of Standards and Technology (NIST) Publications
• Committee and National Security Systems (CNSS)
• Office of the Director National Intelligence (ODNI)
• Department of Defense (DoD)
• Privacy Act of 1974 (Updated in 2004)
• Transmittal Memorandum, OMB A-130
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Financial Service Modernization
• OMB M-00-13
• Critical Infrastructure Protection
• Federal Information Security Management (FISM)
• HSPD 7
• Policy on Information Assurance Risk Management for National Security Systems (CNSSP)
• Security Categorization and Control Selection for National Security Systems (CNSSI)

Introduction to FISMA

• FIMSA Compliance Overview
• FIMSA Trickles into the Private Sector
• FIMSA Compliance Methodologies
• NIST RMF
• DIACAP
• DoD RMF
• ICD 503 and DCID 6/3
• Understanding the FISMA Compliance Process
• Stablishing FIMSA Compliance Program
• Preparing the Hardware and Software Inventory
• Categorizing Data Sensitivity
• Addressing Security Awareness and Training
• Addressing Rules of Behavior
• Developing an Incident Response Plan
• Conducting Privacy Impact Assessment
• Preparing Business Impact Analysis
• Developing the Contingency Plan
• Developing a Configuration Management Plan
• Preparing the System Security Plan
• Performing the Business Risk Assessment
• Security Testing and Security Packaging
• FISMA for Clouds

New Requirements under FISMA 2015

• Continuous Diagnostics and Mitigation (CDM) Program
• FISMA Metrics
• Federal Government Programs Designed to Combat Growing Threats
• Cybersecurity 2015 Cross Agency Priority (CAP) Goal
• Formalized Process for Proactive Scans of Public Facing Agency Networks
• DHS US-CERT Incident Notification Guidelines
• Information Security Program Oversight Requirements
• Privacy Management Guidance
• Mobile Devices
• Security Incident Reporting
• Protection of Agency Information
• Ongoing Authorization

Risk Management Framework Steps

• Categorizing
• Selection
• Implementation
• Assessing
• Authorizing
• Monitoring

System Development Life Cycle (SDLC)

• Initiation
• Development/Acquisition
• Implementation/Assessment
• Operation and Maintenance
• Disposal

Transition from C&A to RMF

• Certification and Accreditation (C&A) Process
• C&A Phases
• Initiation
• Certification
• Accreditation
• Monitoring
• RMF, a High Level View
• Transition and Differences
• Key Roles to Implement the RMF

Expansion of the RMF

• Implementation of the RMF in the Intelligence Community
• Implementation of the RMF in DoD
• Implementation of the RMF in the Private Sector
• Future Updates to the RMF Process
• Using the RMF with Other Control Sets
• FedRAMP
• The Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry (PCI)
• Other Standards used with RMF

Security Control Assessment Requirements

• NIST SP 800-53A Assessment Methods
• Security Control Baseline Categorization
• CNSSI 1253 Baseline Categorization
• New Controls Planned in Recent Revision
• FedRAMP Controls
• SP 800-53 Security Controls to HIPAA Security Rule
• PCI DSS Standards

RMF for IT

• NIST RMF
• IT and RMF Process
• Enterprise-wide IT Governance authorization of IT Systems and Services
• Risk Based Approach Instead of Check Lists
• DT&E and OT&E Integration
• RMF Embedded in Acquisition Lifecycle
• Continuous Monitoring and Timely Correction of Deficiencies
• Automated Tools
• Cybersecurity Implementation via Security controls
• Reciprocity Application

Optional Modules and Activities:

Hands On, Workshops and Group Activities

• Labs
• Workshops
• Group Activities

Workshops and Labs for Introduction to RMF Training

• Categorizing the Information system Based on the Information Type using NIST SP 8-060
• Determining the Security Category for Confidentiality, Availability, and Integrity of the System
• Identifying Controls Case, Second Phase of RMF Case Study Using NIST SP 800-53
• RMF Phase 3 Case Study, Resolving the Control Planning Issues
• Developing Test Procedures and Plans for Assessing Security Controls and Security Assessment Reports (SAR) using NIST SP 800-53A
• Developing Plan of Action and Milestones (POA&M)
• RMF Monitoring Phase; Assessing the Controls based on Schedule

Key Standards and Guidelines

• ƒ FIPS Publication 1(Security Categorization)
• ƒ FIPS Publication 200 (Minimum Security Controls)
• ƒ NIST Special Publication 800-18 (Security Planning)
• ƒ NIST Special Publication 800-30 (Risk Assessment)
• ƒ NIST Special Publication 800-37 (System Risk Management Framework)
• ƒ NIST Special Publication 800-3(Enterprise-Wide Risk Management)
• ƒ NIST Special Publication 800-53 (Recommended Security Controls)
• ƒ NIST Special Publication 800-53A (Security Control Assessment)
• ƒ NIST Special Publication 800-5(National Security Systems)
• ƒ NIST Special Publication 800-60 (Security Category Mapping)

FIPS and NIST Special Publications (PUBS)

• General Information
• FIPS Changes and Announcements
• FIPS Standards
• FIPS PUB 140-2; Security Requirements for Cryptographic Modules
• FIPS PUB 180-4; Secure Hash Standard (SHS)
• FIPS PUB 186-4; Digital Signature Standard (DSS)
• FIPS PUB 197; Advanced Encryption Standard (AES)
• FIPS PUB 198-1; Keyed Hash Message Authorization code (HMAC)
• FIPS PUB 199; Standards for Security Categorization of Federal Information and Information Systems
• FIPS PUB 200; Minimum Security Requirements for Federal Information and Information systems
• FIPS PUB 201-2; Personal Identity Verification (PIV)
• FIPS PUB 202; SHA-3 Standard

Creating RMF Roles and Responsibilities

• Agency Head
• Risk Executive
• Chief Information Officer (CIO)
• Chief Information Security Officer(CISO)
• Senior Information Security Officer (SISO)
• Authorizing Official (AO)
• Delegated Authorizing Official (DAO)
• Security control Assessor
• Common Control Provider (CCP)
• Information Owner
• Mission/Business Owner (MBO)
• Information System Owner
• Information System Security Engineer (ISSE)
• Information System Security Manager (ISSM)
• Information System Security Officer (ISSO)
• Risk Analyst
• Executive Management
• User Representatives
• Information security Architect
• Security control Assessor
• Computer Incident Response (CIR) Team