Background: On March 12, 2014, the DoD announced that starting that same day, defense and military systems will henceforth go through the risk management framework outlined by the National Institute of Standards and Technology, rather than through the DoD Information Assurance Certification and Accreditation Process (DIACAP).
The change is an expected one that grew in likelihood as the DoD and NIST actively sought, over the past few years through a joint task force, common ground in their cybersecurity guidance documents.
Kratos SecureInfo has trained thousands of students on DIACAP and the NIST SP 800-37 processes, so helping students transition from one process to the other is the next logical step and just what this course does.
This intense cybersecurity-based workshop blends lecture, discussion and hands-on exercises to educate students on the new methodology. This workshop will prepare students to implement the Risk Management Framework for their IT systems, as prescribed in the updated DoD series of publications as well as the related NIST and CNSS publications.
The workshop compares and contrasts numerous aspects of the current DoD C&A process (DIACAP), to the new methodology for categorizing information systems, selecting and implementing applicable security controls and establishing a Continuous Monitoring program.
This workshop breaks down the methodology into steps, tasks, outputs and responsible entities.
The course also includes informative lectures, discussions and exercises that provide a functional understanding of cybersecurity, risk management and the proper selection, implementation and validation of the new security controls, as outlined on the DIACAP Knowledge Service and complimented by NIST Special Publications.
This course includes a theoretical military scenario that students utilize to build their Security Plan and POAM as well as learn how to transition from the DIACAP 8500.2 control set to the 800-53 Rev. 4 control set. Computers are utilized during the training, and a resource CD will be provided to students with all publications and templates needed to complete their authorization packages once they return to their work site.
The DoD has adopted and will transition to a new Cybersecurity Risk Management Framework (RMF) methodology as the replacement for DIACAP. The direction for this transformation comes from the latest set of both DoD and Committee for National Security Systems (CNSS) document replacements for DoDD 8500.1, DoDI 8500.2, DoDI 8510.01, CNSSP 22 and CNSSI 1253.
The process is supported and complimented through a suite of standards and guidelines: National Institute of Standards and Technology (NIST) Special Publications (SP) 800-37, 800-30, 800-39, 800-53, 800-53A and 800-137.
$2,300.00 per student (GSA rates and volume discounts are available)
Materials Required: Laptops are required as each student will be asked to create documentation and participate in practical exercises that guide the students. The laptop must have Adobe Acrobat Reader, Excel and Word. Resource Kits are provided via CDs for students attending the course, for in-class work, as well as supplemental materials.
Course Materials Provided:
Students will receive a workbook (to include instructional slides) and Resource Kit via CD (includes all supporting materials and exercises).
Locations: We offer this course in the Kratos SecureInfo training classrooms (San Antonio, TX and Chantilly, VA locations) or via mobile training at your facility for up to 15 students per course. Contact us at firstname.lastname@example.org or (210) 403-5600 or (888) 677-9351 (ask for the Training Department) for more information and pricing on mobile training options.
Who Should Attend?
The curriculum covered in this course is appropriate for all government and contractor personnel who must understand and implement the new methodology; including, but not limited to, ISSMs, ISSOs, SCAs, PM/SMs, AO Reps and IG/Auditors.
- Individuals with information system and security management and oversight responsibilities.
- (e.g., Authorizing Official representatives, Chief Information Officers, Senior Information Assurance Officers, Information System Owners, or Certifying Authorities)
- Individuals with information system and information assurance control assessment and monitoring responsibilities.
- (e.g., System Evaluators, Assessors/Assessment teams, Independent Verification and Validation Assessors, Auditors, Inspectors General, or Program Managers)
- Individuals with information assurance implementation and operational responsibilities.
- (e.g., Information System Owners, Information Owners/Stewards, Mission/Business Owners, Information Systems Security Managers/Officers, Security Managers, or System Administrators)
Module 1: Introduction
- RMF for DoD IT -Terms and Key Concepts for Module 1
- DoD & RMF Background
- Purpose and Applicability of DoDD 8500.1, DoDI 8500.2 and 8510.01
- Purpose and Applicability of CNSSP 22, and CNSSI 1253
- Purpose and Applicability of NIST SP 800-37, 800-53, 800-39
- Summary of RMF for DoD IT - RMF Tasks
- End of Module 1 Exercise
- Theoretical Military Installation (TMI) scenario introduction (system description, hardware, software, firmware and architecture)
Module 2: RMF for DoD IT Fundamentals
- RMF for DoD IT - Terms and Key Concepts for Module 2
- RMF for DoD IT - Roles and Responsibilities
- RMF for DoD IT - Process Documentation
- Integrated Enterprise-Wide Risk Management
- DoD IS and PIT
- End of Module 2 Exercise
- TMI scenario (in DIACAP format used for transitioning to RMF for DoD IT)
Module 3: RMF Extras
- RMF for DoD IT - Terms and Key Concepts for Module 3
- Reciprocity of Assessments and Authorizations
- RMF for DoD IT - Knowledge Service
- Transitioning (C&A) to Security Authorization
- End of Module 3 Exercise
- TMI DIACAP mapping SIP, DIP, POAM and Scorecard to RMF deliverables
Module 4: Working with the Security Controls
- RMF for DoD IT - Terms and Key Concepts for Module 4
- NIST SP 800-53, Security Controls
- NIST SP 800-53A, Assessing Security Controls
- End of Module 4 Exercise
- TMI Security Plan (SP) security control mapping, Security Control Assessor role building the Security Assessment Plan (SAP) and the Security Assessment Report (SAR)
Module 5: RMF Process - A Detailed Look
- TMI scenario final transition of RMF deliverables and POAM updates
- RMF for DoD IT - Terms and Key Concepts for Module 5
- The RMF for DoD IT - Process (Final wrap-up)
Step 1: Categorize Information System
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Authorize Information System
Step 6: Monitor Security Controls
End of Course Exercise
* This Course Syllabus and the RMF Curriculum are subject to change as more information about the RMF for DoD IT process becomes available and as the referenced documents are finalized and released.
For course availability, please view our training schedule
. Questions about our corporate training may be directed to training@KratosSecureInfo.com
, or call 888.753.8377. Ask about our mobile training capability--it may save you money!