RSK301: Risk Management Framework 2.0 (RMF 2.0)
> Preview the RMF 2.0 Course
Course Outline · CPEs: 36 · Lab Requirements
Access Period: 6 months · Price: $299 · Instructor: Jim Broad
Developing secure systems and software has been a continual challenge to organizations of all sizes. Security and privacy controls have been developed over time to counter existing and evolving threats, however implementing the correct controls is a challenge to most developers. System owners and software developers often rely on information security, cyber, and risk professionals are often tasked with the responsibility of determining the proper controls to implement and how to implement them correctly. The challenge is to select the right controls commensurate with the risk level, balancing security with usability and cost.
The Risk Management Framework (RMF) was developed to assist in the development of secure systems and applications that balance cost and security while maintaining the appropriate level of usability. The framework allows integration of security into the development of systems and applications, tying specific steps and tasks with the system/software development lifecycle (SDLC). While the RMF was developed to be used with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, the Security Control Catalog of controls, it can be easily used to implement other controls sets, including the Payment Card Industry (PCI) Data Security Standard (DSS), or the Health Insurance Portability and Accountability Act (HIPAA) by changing out the control set. It is even possible to implement multiple control sets or requirements in a single system or application using this framework.
The purpose of the initial development of the framework was to synchronize the secure development of information systems across all government organizations; it can be applied equally as well in organizations in the private sector. In recent years, organizations in many sectors, including financial, pharmaceutical, automotive, and organizations classified as critical infrastructure, have found benefit in using all or part of the RMF to manage security and privacy risks. Additionally, the RMF has been adopted by State, Local, and Tribal Governments.
By following the seven steps of the RMF, organizations can integrate the selection, implementation, assessment, and monitoring of security controls and requirements into the system/software development lifecycle (SDLC). This alignment ensures security is “baked in” to systems and applications from the beginning through operation and decommissioning.
Each step of the RMF process is iterative and leads to the next, but still allows the flexibility to be modified to fit individual organizations process flows and procedures. The steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Each step consists of several tasks that are completed to ensure security, privacy, and risk are addressed at every stage of the system or application development.
This course walks through every step and task in the RMF 2.0, covering the required inputs and outputs, responsibilities, and functions that must be completed to ensure systems are developed within the risk tolerance of the enterprise. Completion of this course and the associated handouts, exercises, and reference material will more than preparing the Risk Management, security, cyber, or privacy professional to implement the RMF but also provides the knowledge needed to pass the (ISC)2© Certified Accreditation Professional (CAP)© certification exam.