risk management framework course - semais outline with dod infov3.pdf · module 4: risk analysis...
TRANSCRIPT
3350 Riverview Pkwy Suite 1900 * Atlanta, Georgia 30339 * Phone: 800-497-3376 * Email: [email protected].* Website: www.semais.net
Consulting
Training
Staffing
Support Secure Managed Instructional Systems, LLC
RISK MANAGEMENT FRAMEWORK
COURSE
Risk Management Framework Course
“Applicative and Innovative Solutions”
What is RMF?
The RMF was developed by the National Institute for Standards and
Technology (NIST) to help DoD and Federal agencies manage risks
to and from Information Technology (IT) systems more easily, effi-
ciently and effectively. The Risk Management Framework provides
a structured, yet flexible approach for managing the portion of risk
resulting from the incorporation of information systems into the
mission and business processes of the organization. The training at
SEMAIS provides a comprehensive learning methodology to cap-
ture these key tasks and requirements to accredit DoD and Federal
Systems based on OMB 130, FISMA, NIST 800-30/37/53/60/114
and DoD 8500 policies and procedures. Our differentiators focus
on real-time application principles, processes, and procedures to
relay RMF based on agencies goals and requirements.
We Focus Beyond Theory-Based Training
SEMAIS Methodology Many training companies are focused at “Teaching-the-Test,” and
not “Teaching-the-Student.” Here at SEMAIS, we employ a differ-
ent methodology to this practice by focusing on the concepts and
aligning those concepts with application principles. This core prac-
tice ensures clients receive the most qualified training for career
success. The result of this methodology will use adult learning
methodologies called (KAC).
Knowledge
Application
Comprehension
Risk Management Framework Course
A Step Above Competitors
SEMAIS has a unique advantage of delivering RMF training
based upon hands-on experience with Federal and DoD security
standards for safeguarding data and networks. Our detail expe-
rience and certifications achieved provides a comprehensive
learning approach to delivering the FISMA and Risk Manage-
ment process.
Differentiators
Most training companies provide instructor-based knowledge
through classroom demonstration of text book information.
This learning style forces students to become “book-based”
learners. Our difference is to employ adult learning practices
such as teach back exercises and real-time system accreditation
issues for students. The end-state integrates workshop and cer-
tification-based training into a single course. The benefit: A
company achieves a higher Return-On-Investment. Employees
learn their roles within the RMF tasks and gathers the
knowledge to pass the ISC2 CAP examination.
SEMAIS Snapshot
Cage Code: 6WY63
DUNS Number: 020746879
NICCS Approved Trainer
Certified Information Security
System Professional (CISSP)
Certified Authorization Pro-
fessional (CAP)
EC-Council Certified Ethical
Hacker (CEHv8)
ITIL Foundation (ITILv3)
Microsoft Certified Technical
Specialist (MCTS)
CompTia Security Plus (Sec +)
Master Training Specialist
(MTS)
Certifications
Socio-Economic Status
Minority Owned Business (MOB)
Small Disadvantaged Business
(SDB)
Veteran-Owned Small Business
(VOSB)
Service-Disabled Veteran-Owned
Small Business (SDVOSB)
Federal Risk Management Framework (RMF)
Implementation 3.0: DoD/IC Edition
Days of Training: 4
Course Description
Federal Risk Management Framework (RMF) Implementation 3.0: DoD/IC Edition focuses on the Risk Management
Framework prescribed by NIST Standards as implemented within the Department of Defense (DoD) and Intelligence
Community (IC). The course can also be used as test preparation for the ISC2 Certified Authorization Professional
(CAP) certification.
The 3.0 version of the course is current as of July, 2016. Downloadable ancillary materials including a study guide, a
DoD RMF exam, and a References and Policies handout.
Outline
Module 1: Introduction
Key concepts including assurance, assessment, authorization
Reasons for change to the Risk Management Framework (RMF)
Key characteristics of security
Security controls
Module 2: Cybersecurity Policy Regulations and Framework
Evolution and interaction of security laws, policy, and regulations in cybersecurity
Accessing the correct documents for cyber security guidance
Assessment and Authorization transformation goals
Module 3: RMF Roles and Responsibilities
Tasks and responsibilities for RMF roles
Module 4: Risk Analysis Process
Four-step risk management process
Impact level
Level of risk
Effective risk management options
Module 5: Step 1: Categorize
Key documents in RMF process
Security Categorization
Information System Description
Information System Registration
Lab 1: Categorize a fictitious DoD agency information system
Module 6: Step 2: Select
Federal Risk Management Framework (RMF) Implementation 3.0: DoD/IC Edition
Days of Training: 4
Course Description
Federal Risk Management Framework (RMF) Implementation 3.0: DoD/IC Edition focuses on the Risk Management
Framework prescribed by NIST Standards as implemented within the Department of Defense (DoD) and Intelligence
Community (IC). The course can also be used as test preparation for the ISC2 Certified Authorization Professional
(CAP) certification.
The 3.0 version of the course is current as of July, 2016. Downloadable ancillary materials including a study guide, a
DoD RMF exam, and a References and Policies handout.
Outline
Module 1: Introduction
Key concepts including assurance, assessment, authorization
Reasons for change to the Risk Management Framework (RMF)
Key characteristics of security
Security controls
Module 2: Cybersecurity Policy Regulations and Framework
Evolution and interaction of security laws, policy, and regulations in cybersecurity
Accessing the correct documents for cyber security guidance
Assessment and Authorization transformation goals
Module 3: RMF Roles and Responsibilities
Tasks and responsibilities for RMF roles
Module 4: Risk Analysis Process
Four-step risk management process
Impact level
Level of risk
Effective risk management options
Module 5: Step 1: Categorize
Key documents in RMF process
Security Categorization
Information System Description
Information System Registration
Federal Risk Management Framework (RMF)
Implementation 3.0: DoD/IC Edition
Days of Training: 4
Course Description
Federal Risk Management Framework (RMF) Implementation 3.0: DoD/IC Edition focuses on the Risk Management
Framework prescribed by NIST Standards as implemented within the Department of Defense (DoD) and Intelligence
Community (IC). The course can also be used as test preparation for the ISC2 Certified Authorization Professional
(CAP) certification.
The 3.0 version of the course is current as of July, 2016. Downloadable ancillary materials including a study guide, a
DoD RMF exam, and a References and Policies handout.
Outline
Module 1: Introduction
Key concepts including assurance, assessment, authorization
Reasons for change to the Risk Management Framework (RMF)
Key characteristics of security
Security controls
Module 2: Cybersecurity Policy Regulations and Framework
Evolution and interaction of security laws, policy, and regulations in cybersecurity
Accessing the correct documents for cyber security guidance
Assessment and Authorization transformation goals
Module 3: RMF Roles and Responsibilities
Tasks and responsibilities for RMF roles
Module 4: Risk Analysis Process
Four-step risk management process
Impact level
Level of risk
Effective risk management options
Module 5: Step 1: Categorize
Key documents in RMF process
Security Categorization
Information System Description
Information System Registration
Lab 1: Categorize a fictitious DoD agency information system
Module 6: Step 2: Select
Module 6: Step 2: Select
Common Control Identification
Security Control Selection
Tailor security controls
Monitoring Strategy
Security Plan Approval
Lab 2: Select security controls for a fictitious DoD agency information system.
Module 7: Step 3: Implement
Security Control Implementation
Security Control Documentation
Lab 3: Discuss and review decisions related to implementation of security controls.
Module 8: Step 4: Assess
Assessment Preparation
Security Control Assessment
Security Assessment Report
Remediation Actions
Lab 4: Consult NIST SP 800-53A to determine appropriate assessment techniques for a fictitious DoD
agency.
Module 9: Step 5: Authorize
Plan of Action and Milestones
Security Authorization Package
Risk Determination
Risk Acceptance
Lab 5: Practice compiling the documents that make up the Security Authorization Package.
Module 10: Step 6: Monitor
Information System and Environment Changes
Patches
Ongoing Security Control Assessments
Ongoing Remediation Actions
Key Updates
Security Status Reporting
Ongoing Risk Determination and Acceptance
Information System Removal and Decommissioning
Lab 6: Identify vulnerabilities and deficiencies in the information system of a fictitious DoD agency and
propose steps to remediate them.
Federal Risk Management Framework (RMF)
Implementation 3.0: DoD/IC Edition
Days of Training: 4
Course Description
Federal Risk Management Framework (RMF) Implementation 3.0: DoD/IC Edition focuses on the Risk Management
Framework prescribed by NIST Standards as implemented within the Department of Defense (DoD) and Intelligence
Community (IC). The course can also be used as test preparation for the ISC2 Certified Authorization Professional
(CAP) certification.
The 3.0 version of the course is current as of July, 2016. Downloadable ancillary materials including a study guide, a
DoD RMF exam, and a References and Policies handout.
Outline
Module 1: Introduction
Key concepts including assurance, assessment, authorization
Reasons for change to the Risk Management Framework (RMF)
Key characteristics of security
Security controls
Module 2: Cybersecurity Policy Regulations and Framework
Evolution and interaction of security laws, policy, and regulations in cybersecurity
Accessing the correct documents for cyber security guidance
Assessment and Authorization transformation goals
Module 3: RMF Roles and Responsibilities
Tasks and responsibilities for RMF roles
Module 4: Risk Analysis Process
Four-step risk management process
Impact level
Level of risk
Effective risk management options
Module 5: Step 1: Categorize
Key documents in RMF process
Security Categorization
Information System Description
Information System Registration
Lab 1: Categorize a fictitious DoD agency information system
Module 6: Step 2: Select
Module 11: Risk Management Framework for DoD and the Intelligence Community
DoDI 8510.01
DFAR 252.204-7012
Security Control Structure
Evolution of Cybersecurity Policy
NIST: Computer Security Division
DoD Cybersecurity Policy Drivers
DIACAP to RMF
Transformation Goals
Control Selection
CNSSI-1253
RMF Integration with the SDLC
Important Federal Guidelines
DoD 8500 Cybersecurity Series
Roles and Responsibilities
Registering a DoD System
eMASS
Types of Authorizations
RMF Knowledge Service
Why Train With SEMAIS?
The Cyber Security industry has adopted many standards and
management strategies to become compliant.. These stand-
ards require in-depth interpretation and sound learning solu-
tions to ensure compliance for corporations and government
systems. We have your training solutions for RMF.
The privacy laws are changing and security best practices are
sometimes omitted from governance strategies. Management
has been facing tough decisions to maintain Defense Accredi-
tation for DoD 8500 compliance through Vulnerability Assess-
ments, Security Technical Information Guides (STIGS) imple-
mentation, and regulatory policies to achieve Authority to
Operate (ATO). What are your shortfalls for RMF train-
ing?
Are you challenged for meeting compliance through Cyber
Security and Information Assurance programs, processes, or
procedures that are obsolete, dysfunctional, or non-compliant
for RMF? If so, SEMAIS has the expertise to deliver RMF
training and tasks related to NIST 800-37 SA&A. Leave the
tough work to SEMAIS!
Secured Managed Instructional Systems, LLC
3350 Riverwood Pkwy Suite 1900 Atlanta, Georgia 30339 Phone: 800-497-3376, Ext 800 Email: [email protected] Website: www.semais.net
Risk Management Framework Course