Department of Defense (DoD) Risk Management Framework

(RMF) Process 2015

Course Description:
The purpose of this course is for attendees to gain a thorough understanding of the new DOD authorization
process as required by DoDI 8510.01, Risk Management Framework for DoD IT, 14 March 2014, and based
on the new Committee of National Security Systems Instruction 1253 (CNSSI 1253), Security Categorization
and Security Control Selection for National Security Systems (NSS), 27 March 2014, and the National Institute
of Standards and Technology (NIST) Risk Management Framework (RMF).
The knowledge and strategies provided during this course will allow the attendees to accurately and effectively
apply cost-effective and appropriate security controls based on risk and best practices. This course will be a
highly interactive course that will allow the attendees to apply the knowledge in 15 group real-world exercises.
The course will also provide attendees with actual examples of the key documents required to complete the
RMF processes.
Additionally, the author of this course has supported over 300 Military, Federal, and commercial system
authorizations.
Duration: 3 days
Continuing Professional Education (CPE): Credits for SSCP, CISSP, ISSEP, ISSMP, ISSAP, CSSLP, CAP,
CISA, CISM, CRISC and CGEIT

Course Outline
Day 1:
Introductions and Course Overview
Section 1 Understand Security Authorization

Documents
o FISMA, NIST/NSA, NIST Publications, and OMB A-130

Concept of Authorization Process

o Problem, Controls, Implement, Assess, Approve, and Maintain

Authorization Evolution
o DITSCAP, NIACAP, FISMA, NIST, DIACAP, and RMF

Department of Defense (DOD) Risk Management Framework (RMF)

o DOD: DoDI 8500.01and DoDI 8510.01
o CNSS: CNSSP-42, CNSSI-1253 and Appendix K Annexes, CNSSI-1253A, and CNSS 4009

327 Solutions, Inc.

www.327solutions.com

All Right Reserved


o
o

NIST: SP800-18, SP800-30, SP800-37, SP800-39, SP800-53, SP800-53A, SP800-137, and

SP800-160
Processes: SDLC and DoD System Acquisition Process

Roles and Responsibilities (NIST SP800-37 and DoDI 8510.01):

o DoD and Component Chief Information Officers (CIO)*
o Risk Executive (Function)*
o DoD and Component Senior Information Security Officer (SISO)*
o Authorizing Official (AO)*
o AO Designated Representative (AODR)
o Information Owner (IO)/Steward
o Common Control Provider (CC Provider)
o Information System Security Manager (ISSM)
o Information System Owner (ISO)
o Information System Security Officer (ISSO)
o Information Security Architect
o Information System Security Engineer (ISSE)
o Security Control Assessor (SCA)
o User Representative (UR)
o RMF Tools DoDI 8510.01
o eMASS and Information Assurance Support Environment (IASE)

Security Processes and Concepts:

o Adequate Security and Risk-Based Cost-Effective OMB Circular A-130
o Security Objectives: Confidentiality, Integrity, and Availability
o Risk: Low, Moderate, and High
o Privacy Rules: HIPAA, Personally Identifiable Information (PII), etc.
o Trust Relationships: Reciprocity, Documents, etc.
o Defense-In-Depth

Risk Management (NIST SP800-39)

Risk Assessment (NIST SP800-30)
o Qualitative, Quantitative and Quasi-Quantitative
o Risk Assessment Group Exercise

327 Solutions, Inc.

www.327solutions.com

All Right Reserved

The below graphic of the DOD RMF process with DIACAP references.
This provides a sample of one the course manual pages.

Section 2 - RMF 1 Categorize Information and Information System

o System Security Plan SP800-18 and SP800-37
o DoD IT Products, Services, and PIT DoDI 8510.01
o Categorization CNSSI-1253, FIPS 199, and SP800-60
Overlays CNSSI-1253 and SP800-53
Risk Impact Factors CNSSI-1253 and SP800-53

327 Solutions, Inc.

www.327solutions.com

All Right Reserved

Accreditation Boundaries SP800-18 and SP800-37

o Boundary and Categorization Group Exercise

Interconnecting Information Systems SP800-47

Registration SP800-53
Assign Qualified Personnel DoDD 8570.01 and DoDD 8140.01

Day 2:

Section 3 - RMF 2 Select Security Controls

o Specific, Common, and Hybrid Controls SP800-53, CNSSI-1253, and Sample SP
Type Control Group Exercise
o Selecting Security Controls CNSSI-1253, FIPS-200, and SP800-53
o Tailoring Controls CNSSI-1253 and SP800-53
Tailoring Controls Group Exercise
o Compensating Controls SP800-53
Compensating Control Group Exercise
o Trustworthiness and Assurance SP800-53
o Monitored Control Selection SP800-37
o Approval and Registration DoDI 8510.01
o Knowledge Services and eMASS

Section 4 - RMF 3 Implement Security Controls

o Security Control Implementation SP800-53
o Control Documentation SP800-18 and SP800-37
o Approved Configurations, Tests and Checklists SP800-70, eMASS and IASE.mil
o Security Content Automation Protocol (SCAP) SP800-115 and SP800-117

Day 3:

Section 5 RMF Step 4 Assess Security Controls

o Assessment and Testing Methods SP800-53A and SP800-115 2015 Litchko & Associates
o Vulnerability Tools and Techniques SP800-53A and SP800-115
o Develop Security Assessment Plan (SAP) SP800-37
o Assessor Expertise and Independence SP800-37
o Assess Security Control SP800-53A and SP800-115
o Security Assessment Report (SAR) SP800-37, SP800-53A and SP800-115
o Conduct Remediation Actions SP800-37 and SP800-53

Section 6 - RMF 5 Authorize Information System

o Special DoD Systems DoDI 8510.01
o Plan Of Actions and Milestones (POA&M) OMB M-02-01and Sample POA&M
o Security Authorization Package SP800-37 and DoDI 8510.01
SSP, SAR, and POA&M
o Determine Risk DoDI 8510.01
o Authorization SP800-37 and DoDI 8510.01
Authority to Operate (ATO), Interim Authorization to Test (IATT), and Denial of Approval
to Operate (DATO)

327 Solutions, Inc.

www.327solutions.com

All Right Reserved

Special Authorizations DoDI 8510.01

Type Authorizations
Platform Information Technology (PIT) Authorizations

Contingency Strategies
Group Contingency Deployment Group Exercises

Section 7 - RMF 6 Monitor Security Controls

o Information Security Continuous Monitoring (ISCM) SP800-137 and HBSS
o Determine Impact of Change SP800-128 and SecCM
o Patch and Vulnerability Management SP800-40
o Assessments SP800-53A and SP800-115
o Cloud Computing FedRAMP, FedRAMP+, SP800-53, and SRG
o DoD RMF Schedule, Status, and Issues DoDI 8510.01

Other Resources:
Summary
o

Appendices
Appendix A Regulations and Standards
Appendix B Authorization Evolution
Appendix C DoD RMF Graphics
Appendix D Risk Management Framework Steps and Tasks
Appendix E SDLC, RMF and FIPS/SP Pub Relationship Table
Appendix F Information Security Plan Template
Appendix G Control Families
Appendix H Plan of Action and Milestones (POA&M)
Appendix I Continuous Monitoring Actions Sample
Appendix J Resources Schedule of Continuous Monitoring Actions
Appendix J Security Control Overlays Template
Appendix K Security Control Monitoring Frequencies
Appendix M Patch and Vulnerability Management ROI
Appendix N DoD Cybersecurity Glossary

About the Course Author:

This RMF for DoD course was created by a security expert with more than 30-years experience. As the
creator and professor of the first graduate computer security course as adjunct faculty with a major Ivy League
university, he served in the military for over twenty years and was a project manager for the NSA for five years.
He has supervised and supported the securing of over 300 military, government and commercial IT systems. In
just the past three years, he has supported the securing of IT systems at DHS, VHA, NASA, DOE, EPA,
USDA, USAF, DOJ and FEMA.
This course is updated with the most relevant content to ensure your move to RFM is successful.

327 Solutions, Inc.

www.327solutions.com

All Right Reserved