RSK301: Risk Management Framework 2.0 (RMF 2.0)
Interactive Videos include inline questions that drive understanding of each task
Topic specific workbooks focus on important information
Word search games and flashcards test knowledge
Select topics include labs to test your knowledge with hands on tasks
Access Period: 6 months · Price: $399 · Instructor: Jim Broad
Developing secure systems and software has been a continual challenge to organizations of all sizes. Security and privacy controls have been developed over time to counter existing and evolving threats, however implementing the correct controls is a challenge to most developers. System owners and software developers often rely on information security, cyber, and risk professionals tasked with determining the proper controls to implement and how to implement them correctly. The challenge is to select the right controls commensurate with the risk level, balancing security with usability and cost.
The Risk Management Framework (RMF) was developed to assist in developing secure systems and applications that balance cost and security while maintaining the appropriate level of usability. The framework allows integration of security into systems and applications, tying specific steps and tasks with the system/software development lifecycle (SDLC). While the RMF was developed to be used with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, the Security Control Catalog of controls, it can be easily used to implement other controls sets, including the Payment Card Industry (PCI) Data Security Standard (DSS), or the Health Insurance Portability and Accountability Act (HIPAA) by changing out the control set. It is even possible to implement multiple control sets or requirements in a single system or application using this framework.
The purpose of the initial development of the framework was to synchronize the secure development of information systems across all government organizations; it can be applied equally in organizations in the private sector. In recent years, organizations in many sectors, including financial, pharmaceutical, automotive, and organizations classified as critical infrastructure, have benefited from using all or part of the RMF to manage security and privacy risks. Additionally, the RMF has been adopted by State, Local, and Tribal Governments.
By following the seven steps of the RMF, organizations can integrate the selection, implementation, assessment, and monitoring of security controls and requirements into the system/software development lifecycle (SDLC). This alignment ensures security is “baked in” to systems and applications from the beginning through operation and decommissioning.
Each step of the RMF process is iterative and leads to the next, but still allows the flexibility to be modified to fit an individual organization’s process flows and procedures. The steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Each step consists of several completed tasks to ensure security, privacy, and risk are addressed at every stage of the system or application development.
This course walks through every step and task in the RMF 2.0, covering the required inputs and outputs, responsibilities, and functions that must be completed to ensure systems are developed within the enterprise’s risk tolerance. Completion of this course and the associated handouts, exercises, and reference material will more than preparing the Risk Management, security, cyber, or privacy professional to implement the RMF but also provides the knowledge needed to pass the (ISC)2© Certified Accreditation Professional (CAP)© certification exam.