DIACAP to RMF Transition Training for DoD Information Security Professionals

Risk Management Framework (RMF) for DoD Security Controls Assessors (SCA) and Information System Security Officers/Engineers/Managers (ISSO/E/M)

Testimonials

This course provides a comprehensive immersion into the Risk Management Framework (RMF) for cybersecurity professionals in the DoD and IC. This course, which is taught by the author of one of the first RMF system security plans in all of the military and DoD to obtain an RMF ATO, will address both the roles of those who implement security controls such as the Information System Security Engineer (ISSE), Information System Security Officer (ISSO) and Information System Security Manager (ISSM) as well as the Security Control Assessor (SCA) who assesses the security implemented. It covers all roles and responsibilities based on methods used to implement and assess DoD cybersecurity as identified in DoDI 8510.01, NIST 800-53, Rev. 4 and CNSSI 1253, making direct use of these references throughout the class. This course will teach ISSO/E/M and SCA to build and assess a system security plan (SSP) covering all RMF security control families identified in NIST 800-53, Rev. 4 and CNSSI 1253. The training will cover the DoD defined information technology types and the associated security controls, vulnerability scanning, and DoD-approved automated scanning tools (i.e. ACAS). The course will provide an in-depth explanation with interactive labs thoroughly covering of each control family identified in NIST 800-53, Rev. 4 and CNSSI 1253 to include the appropriate testing methods, associated supporting body of evidence, and how to efficiently and effectively test and validate DoD systems and infrastructure. The manual provided with the class includes all security controls with recommended assessment procedures and artifacts as well as a sample SSP with numerous DoD references for implementation guidance. Depending on the access available in the NLS-provided or government-provided training facility and student user accounts, the training will incorporate hands on learning sessions with applicable tools (e.g. eMASS, etc.) for the documentation and assessment of all applicable security controls in accordance with standards defined by DoD, IC, and NIST policies. The course will incorporate the DISA and DIA approved capabilities, IC, and industry standards for vulnerability assessment to include reporting capabilities to higher echelons such as Continuous Monitoring and Risk Scoring (CMRS) system. After completing this training, SCAs will have the ability to perform assessment validation via manual and automated procedures once training is complete. This training will provide samples of the ISSO/E/M produced SSP and SCA reports needed to document security assessments performed using both automated means (such as eMASS) and manual documentation such as an Security Requirements Traceability Matrix (SRTM) and Security Assessment Report (SAR).

Course outline:

  • Introductions
  • Paradigm Shift from DIACAP to RMF
  • Major Challenges of the New Approach (Lessons learned from the first DoD RMF Early Adopters program ATO packages)
  • FIPS 199 and CNSS 1253
  • ISSO/SCA Perspective on System Categorization and Control Selection
  • NIST SP 800-53, 800-53A, and eMASS
  • The System Security Plan (SSP)
  • RMF Assessment Procedures Part 1 – Management Control Families (Hands-on labs and interactive discussion)
  • RMF Assessment Procedures Part 2 – Operational Control Families (Hands-on labs and interactive discussion)
  • RMF Assessment Procedures Part 3 – Operational Control Families (Hands-on labs and interactive discussion)
  • RMF Assessment Procedures Part 4 – Technical Control Families (Hands-on labs and interactive discussion)
  • RMF Assessment Procedures Part 5 – Technical Control Families (Hands-on labs and interactive discussion)
  • RMF Assessment Procedures Part 6 – Technical Control Families (Hands-on labs and interactive discussion)
  • Producing the Security Assessment Report (SAR) (Hands-on labs and interactive discussion)
  • Developing the Risk Assessment Report (RAR)  (Hands-on labs and interactive discussion)
  • Submitting the RMF Authorization package
  • Continuous Monitoring and Risk Management Using CMRS
  • Final Thoughts and Q&A

This Cybersecurity course is $2995.00 per student for training at our facility.  Contact us for group pricing.