Federal Risk Management Framework (RMF) Implementation

MMSTECH159: Federal Risk Management Framework (RMF) Implementation

Federal Risk Management Framework (RMF) Implementation R4.0: DoD/IC Edition focuses on the Risk Management Framework prescribed by NIST Standards as implemented within the Department of Defense (DoD) and Intelligence Community (IC). This courseware covers most but not all of the objectives of the ISC2 Certified Authorization Professional (CAP) certification exam

Chapter 1: Introduction

Key concepts including assurance, assessment, authorization
Reasons for change to the Risk Management Framework (RMF)
Key characteristics of security
Security controls

Chapter 2: Cybersecurity Policy Regulations and Framework

Evolution and interaction of security laws, policy, and regulations in cybersecurity
Accessing the correct documents for cyber security guidance
Assessment and Authorization transformation goals

Chapter 3: RMF Roles and Responsibilities

Tasks and responsibilities for RMF roles

Chapter 4: Risk Analysis Process

Four-step risk management process
Impact level
Level of risk
Effective risk management options

Chapter 5: Step 1: Categorize

Key documents in RMF process
Security Categorization
Information System Description
Information System Registration
Lab 1: Categorize a fictitious DoD agency information system

Chapter 6: Step 2: Select

Common Control Identification
Security Control Selection
Tailor security controls
Monitoring Strategy
Security Plan Approval
Lab 2: Select security controls for a fictitious DoD agency information system

Chapter 7: Step 3: Implement

Security Control Implementation
Security Control Documentation
Lab 3: Discuss and review decisions related to implementation of security controls

Chapter 8: Step 4: Assess

Assessment Preparation
Security Control Assessment
Security Assessment Report
Remediation Actions
Lab 4: Consult NIST SP 800-53A to determine appropriate assessment techniques for a fictitious DoD agency.

Chapter 9: Step 5: Authorize

Plan of Action and Milestones
Security Authorization Package
Risk Determination
Risk Acceptance
Lab 5: Practice compiling the documents that make up the Security Authorization Package

Chapter 10: Step 6: Monitor

Information System and Environment Changes
Patches
Ongoing Security Control Assessments
Ongoing Remediation Actions
Key Updates
Security Status Reporting
Ongoing Risk Determination and Acceptance
Information System Removal and Decommissioning
Lab 6: Identify vulnerabilities and deficiencies in the information system of a fictitious DoD agency and propose steps to remediate them.

Chapter 11: Risk Management Framework for DoD and the Intelligence Community

DoDI 8510.01
DFAR 252.204-7012
Security Control Structure
Evolution of Cybersecurity Policy
NIST: Computer Security Division
DoD Cybersecurity Policy Drivers
DIACAP to RMF
Transformation Goals
Control Selection
CNSSI-1253
RMF Integration with the SDLC
Important Federal Guidelines
DoD 8500 Cybersecurity Series
Roles and Responsibilities
Registering a DoD System
eMASS
Types of Authorizations
RMF Knowledge Service