Certified RMF

Risk Management Framework

Take your training to the next level!

Prepare for the Certified Authorization Professional while focusing on the Risk Management Framework.

Risk Management Framework (RMF) is the unified information security framework for the entire Federal government that is replacing the legacy Certification and Accreditation (C&A) processes within Federal government departments and agencies, the Department of Defense (DoD) and the Intelligence Community (IC). DoD has officially begun its transition from legacy DIACAP processes to the new RMF for DOD process.

RPI Training's Certified Risk Management Framework course enables practitioners to immediately apply the training to their daily work. Students are also able to prepare for the Certified Authorization Professional designation.

Each activity in the Risk Management Framework course is covered in detail, as is each component of the documentation package and the continuous monitoring process. DoDI 8510.01, NIST 800-53 Security Controls and NIST 800-53a Evaluation Procedures are also covered in detail. Class participation exercises reinforce key concepts. RMF is designed for those who need to become proficient in the nuts and bolts of FISMA RMF implementation. This course provides the practical knowledge you need, without being slanted in favor of a specific software tool set.


RMF Course Details

Chapter 1: Introduction

  •    Key concepts including assurance, assessment, authorization
  •    Security controls: structure, types, families
  •    Key characteristics of security

Chapter 2: Cybersecurity Policy Regulations and Framework

  •    Evolution and interaction of security laws, policy, and regulations in cybersecurity
  •    DoD cybersecurity drivers
  •    Cybersecurity guidance
  •    Assessment and authorization transformation goals

Chapter 3: RMF Roles and Responsibilities

  •    Tasks and responsibilities for RMF roles

Chapter 4: Risk Analysis Process

  •    Four-step risk management process
  •    Impact level
  •    Level of risk

Chapter 5: Step 1: Categorize

  •    Key documents in RMF process
  •    Security Categorization
  •    Information System Description
  •    Information System Registration
  •    Lab 1: Categorize a fictitious DoD agency information system

Chapter 6: Step 2: Select

  •    Common Control Identification
  •    Security Control Selection
  •    Monitoring Strategy
  •    Security Plan Approval
  •    Lab 2: Select security controls for a fictitious DoD agency information system

Chapter 7: Step 3: Implement

  •    Security Control Implementation
  •    Security Control Documentation
  •    Lab 3: Discuss and review decisions related to implementation of security controls

Chapter 8: Step 4: Assess

  •    Assessment Preparation
  •    Security Control Assessment
  •    Security Assessment Report
  •    Remediation Actions
  •    Lab 4: Consult NIST SP 800-53A to determine appropriate assessment techniques for a fictitious DoD agency.

Chapter 9: Step 5: Authorize

  • Plan of Action and Milestones
  • Security Authorization Package
  • Risk Determination
  • Risk Acceptance
  • Lab 5: Practice compiling the documents that make up the Security Authorization Package

Chapter 10: Step 6: Monitor

  • Information System and Environment Changes
  • Ongoing Security Control Assessments
  • Ongoing Remediation Actions
  • Key Updates
  • Security Status Reporting
  • Ongoing Risk Determination and Acceptance
  • Information System Removal and Decommissioning
  • Lab 6: Identify vulnerabilities and deficiencies in the information system of a fictitious DoD agency and propose steps to remediate them.

Chapter 11: Resources

  • eMass
  • RMF Knowledge Service
  • CyberScope

World Class, PROFESSIONAL and Experienced Instructor

Our master RMF trainer has 15+ years IT, cybersecurity and information security experience and he is a recognized one of the most sought after Subject Matter Expert authorities in the art and skill of security engineering and authorization procedures of Commercial Contractor, Federal and DoD information systems.  He brings “real world” knowledge and experience to the classroom.  Including:

  • He serves [or has served] as the principal advisor to multiple 2 and 3 Star major commands and has been the principal Security Engineer to establishment and implement the RMF.
  • He has created system assessment plan(s) to organize and execute risk management and Department of Defense Independent Verification and Validation (IV&V) activities, identifying security vulnerabilities utilizing a variety of classic and modern exploit tools, techniques and scanning approaches.
  • He has also provided network security engineering and consulting services for the Army, Navy, Air Force and Marine Corps providing directed support and consultation in the initial and ongoing development and documentation of required artifacts such as the Plan of Action and Milestones (POA&Ms) and the associated structure of Continuous Monitoring Plan (CMP) as it applies to DIACAP and now RMF.
  • He has been a featured guest speaker at the Atlanta Advanced Persistent Threat Summit, the NETCOM Cybersecurity Workshop and Cybersecurity informational workshops for corporate companies such as HP, Booze Allen and Northrup Grumman and others.