NIST Risk Management Framework

A risk-based approach to cybersecurity

General Information/Narrative

RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and adopts the term cybersecurity in place of information assurance.

The RMF process is applicable to all IS and PIT systems, as well as DoD partnered systems where it has been agreed that DoD standards will be followed. IT below the system level (e.g., products, IT services) will not be subjected to the full RMF process. However, IT below the system level must be securely configured (in accordance with applicable DoD policies and security controls), documented in the authorization package and reviewed by the responsible Information System Security Manager (under the direction of the Authorizing Official) for acceptance or connection into an authorized computing environment.

The RMF process consists of six steps: Categorize System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize System, and Monitor Security Controls. This process parallels the system life cycle, with the RMF activities being initiated at program or system inception (e.g., documented during capabilities identification or at the implementation of a major system modification).

The DoD RMF governance structure implements a three-tiered approach to cybersecurity risk management. Tier 1 is the strategic level, and it addresses risk management at the DoD enterprise level. At this tier, the DoD Chief Information Officer (CIO) directs and oversees the cybersecurity risk management of DoD IT. The Risk Executive Function is performed by the DoD Information Security Risk Management Committee (ISRMC).Tier 2 is the Mission / Business Processes level. At this level, the Component CIO is responsible for administration of the RMF within the DoD Component cybersecurity program. Tier 3 is the IS andPIT Systems level. Here, the DoD Component Heads are responsible for the appointment of trained and qualified Authorization Officials for all DoD ISs and PIT systems within their Component.

Defense Acquisition Guidebook, Policies, Directives, Regulations, Laws

  • DoDI 8500.01 “Cybersecurity"
  • DoDI 8510.01 “Risk Management Framework for DoD Information Technology”
  • NIST SP 800-37, Rev 1 "Guide for Applying the RMF to Federal Information Systems"
  • NIST SP 800-39 "Managing Information Security Risk"
  • NIST SP 800-53, Rev 4 "Security and Privacy Controls for Federal Information Systems and Organizations"
  • NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories"
  • CNSSI 1253 "Security Categorization and Control Selection for National Security Systems"
  • CNSSI 4009 "Committee on National Security Systems Glossary"

Your Instructor

Michael C. Redman
Michael C. Redman
After graduating from the Cisco Networking Academy with honors, he’s achieved AAS degrees in Computer Networking and Network Security, as well as BS in Network Engineering. Twice awarded the National Science Foundation Scholarship; and a recognized SME by the CSIAC, CompTIA, and ISC2. He has sat on the advisory boards for both undergraduate colleges as well as served as the Chair - Cybersecurity Training Working Group for the US Army. Michael has a demonstrated ability to deliver complex technical instruction in a clear and understandable manor. This ability earned him recognition by the Southern Association of Colleges as an outstanding educator in 2010.
Michael has served as the Sr. cybersecurity advisor to a 1, 2 and 3 Star commander(s) and senior executive management regarding advanced techniques and developments in the Information Assurance / Cybersecurity arena of Automated Information Systems (AIS). Responsible to both identify risk and recommend appropriate countermeasure within the enclave, isolated and tactical computing environments of the DoD. He has a proven ability to manage highly technical staff working with multiple levels of data sensitivity [ranging from Public to Top Secret/SCI] with duties ranging from design and architecture, security engineering, installation, and integration of systems and/or enclaves.
As a fully qualified United States Marine Corps NIST Risk Management Framework (RMF) validator, Michael is responsible for the planning, organization and execution of risk management assessment for Department of Defense Independent Verification and Validation (IV&V) activities, identifying security vulnerabilities utilizing a variety of classic and modern exploit tools and techniques. He is a highly skilled IT consultant focusing on large-scale software upgrades and rollouts, network troubleshooting, modernization and design. Configuration and support for Intrusion Detection/Protection Systems, Firewalls, and Network Security. Michael has also provided network modernization and design consulting services for the Navy, Air Force and Marine Corps specializing in secure virtual infrastructure design and deployment.
Additionally, he has helped many IT professionals achieve not only their desired certifications but also, their advanced degrees in both Computer Networking and Network Security. Michael’s students have gone on to secure employment within the DoD, State, Federal and commercial arenas.

Michael is certified in and has authored courses in Cisco ICND 1 & 2, EC|Council Certified Ethical Hacker, CompTIA Security+, Network+, Linux+, and CASP, ISACA CISM, and CISA, and ISC2 CISSP and CAP. With an active TS/SCI, he’s been a speaker at the Atlanta Advanced Persistent Threat (APT) Summit, NETCOM Cybersecurity Workshop and Cybersecurity informational workshops for corporate companies like HP, Booze Allen and Northrup Grumman, Harris Communications and others.

Frequently Asked Questions

When does the course start and finish?
The course starts now and never ends! It is a completely self-paced online course - you decide when you start and when you finish.
How long do I have access to the course?
How does lifetime access sound? After enrolling, you have unlimited access to this course for as long as you like - across any and all devices you own.
What if I am unhappy with the course?
We would never want you to be unhappy! If you are unsatisfied with your purchase, contact us in the first 30 days and we will give you a full refund.

Get started now!