RSK301: Risk Management Framework 2.0 (RMF 2.0)
> Preview the RMF 2.0 Course
Course Outline · CPEs: 36 · Lab Requirements
Access Period: 6 months · Price: $399 · Instructor: Jim Broad
Developing secure systems and software has been a continual challenge to organizations of all sizes. Security and privacy controls have been developed over time to counter existing and evolving threats, however implementing the correct controls is a challenge to most developers. System owners and software developers often rely on information security, cyber, and risk professionals are often tasked with the responsibility of determining the proper controls to implement and how to implement them correctly. The challenge is to select the right controls commensurate with the risk level, balancing security with usability and cost.
The Risk Management Framework (RMF) was developed to assist in the development of secure systems and applications that balance cost and security while maintaining the appropriate level of usability. The framework allows integration of security into the development of systems and applications, tying specific steps and tasks with the system/software development lifecycle (SDLC). While the RMF was developed to be used with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, the Security Control Catalog of controls, it can be easily used to implement other controls sets, including the Payment Card Industry (PCI) Data Security Standard (DSS), or the Health Insurance Portability and Accountability Act (HIPAA) by changing out the control set. It is even possible to implement multiple control sets or requirements in a single system or application using this framework.
The purpose of the initial development of the framework was to synchronize the secure development of information systems across all government organizations; it can be applied equally as well in organizations in the private sector. In recent years, organizations in many sectors, including financial, pharmaceutical, automotive, and organizations classified as critical infrastructure, have found benefit in using all or part of the RMF to manage security and privacy risks. Additionally, the RMF has been adopted by State, Local, and Tribal Governments.
By following the seven steps of the RMF, organizations can integrate the selection, implementation, assessment, and monitoring of security controls and requirements into the system/software development lifecycle (SDLC). This alignment ensures security is “baked in” to systems and applications from the beginning through operation and decommissioning.
Each step of the RMF process is iterative and leads to the next, but still allows the flexibility to be modified to fit individual organizations process flows and procedures. The steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Each step consists of several tasks that are completed to ensure security, privacy, and risk are addressed at every stage of the system or application development.
This course walks through every step and task in the RMF 2.0, covering the required inputs and outputs, responsibilities, and functions that must be completed to ensure systems are developed within the risk tolerance of the enterprise. Completion of this course and the associated handouts, exercises, and reference material will more than preparing the Risk Management, security, cyber, or privacy professional to implement the RMF but also provides the knowledge needed to pass the (ISC)2© Certified Accreditation Professional (CAP)© certification exam.
This module introduces the objectives of the course and describes how to use the course pages and resources included that will ensure a full understanding of the risk management framework.
- Introduction to the Risk Management Framework 2.0 Course
This module introduces the Risk Management Framework and why it would, and should, be adopted by organizations to manage risk that can be introduces by information systems.
- Introduction to the RMF
- Introduction to the (ISC)2 CAP
- RMF Career Options
- What is NIST?
- Systems and System Elements
- Authorization Boundaries
- Requirements and Controls
This module introduces the changes made to the RMF with the introduction of NIST SP 800-37 Revision 2.
- Information Security and Privacy in the RMF
- Security and Privacy Posture
- Supply Chain Risk Management
- Risk Management Steps and Structure
- Updates to the RMF
This module covers the basics of risk management (RM) and how organizations can implement enterprise/organization-wide risk management.
- Organization-Wide Risk Management
This module describes the steps that are taken by the organization to prepare for the implementation of the RMF at the system level.
- RMF Roles and Responsibilities
- Risk Management Strategy
- Organizational Risk Assessment
- Organizationally-Tailored Control Baselines and Cybersecurity Framework Profiles
- Common Control Identification
- Impact Level Prioritization
- Continuous Monitoring Strategy
This module details the tasks that the system owner will complete to prepare for the systems processing through the RMF
- Mission or Business Focus
- System Stakeholders
- Asset Identification
- Authorization Boundary
- Information Types
- Information Lifecycle
- System Risk Assessment
- Requirements Definition
- Enterprise Architecture
- Requirements Allocation
- System Registration
In this Step, the system owner completes the tasks needed to categorize the information system.
- System Description
- Security Categorization
- Security Categorization Review and Approval
In this step, the system owner selects the controls that will be implemented in the system to provide security and protect the information processed by the system.
- Control Selection
- Control Tailoring
- Control Allocation
- Documentation of Planned Control Implementation
- Continuous Monitoring Strategy
- Plan Review and Approval
In this step, the system owner implements the controls defined in the previous step. Any changes to the planned implementation are documented.
- Controls Implementation
- Update Controls Implementation Information
In this step the independent control assessor validates that the required controls have been implemented as documented, are providing the correct level of protection, and are providing the correct output.
- Assessor Selection
- Assessment Plan
- Controls Assessment
- Assessment Report
- Remediation Actions
- Plan of Actions and Milestones
In this step, the Authorizing Official evaluates the risks that will be realized if the system or common control set is implemented.
- Authorization Package
- Risk Analysis and Determination
- Risk Response
- Authorization Decision
- Authorization Reporting
In this step, the information system enters the Operations and Maintenance (O&M)
- System and Environment Changes
- Ongoing Assessments
- Ongoing Risk Response
- Authorization Package Updates
- Security and Privacy Reporting
- Ongoing Authorization
- System Disposal
This module provides information and tips to help pass the CAP exam.
- Exam preparation tips