• duration
    4 days
  • Award Winning
    RMF Courseware
  • (ISC)2 CAP
    Exam Review
  • DoD RMF Focused
    Boot Camp

Learn the DoD authorization process and gain an understanding of the Risk Management Framework.

Our Risk Management Framework (RMF for DoD) Course is a 4-day comprehensive deep dive into DOD authorization process and is designed for students looking for a thorough understanding of the Risk Management Framework for DoD Information Technology.

During this course, the knowledge and strategies provided will allow the attendees to accurately and effectively apply cost-effective and appropriate security controls based on risk and best practices.

This training course is available in both classroom based and virtual formats.

What’s Included

Proprietary RMF Courseware
Sample RMF Process Documents
Group Study/Lab Guide Book
(ISC)² CAP Exam Review

training features

  • Understand the Risk Management Framework for DOD IT Authorization process

  • Understand FISMA & NIST processes for authorizing Federal IT systems

  • Explain statutory and regulatory requirements

  • Apply these principles to real-world activities and situations



Learn Risk Management Framework (RMF) Fast

The Risk Management Framework (RMF) provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of systems into the mission and business processes of the organization.

  • Award Winning Instructor

    This RMF for DoD course was created by a security expert with more than 30-years’ experience. As the creator and professor of the first graduate computer security course as adjunct faculty with a major Ivy League university, he served in the military for over twenty years and was a project manager for the NSA for five years.

  • (ISC)²'s CAP Exam Support

    This course is updated with the most relevant content to ensure your move to RMF is successful. This course may also be used as a certification preparation for (ISC)²'s CAP program.

Risk Management Framework for DoD Certification Boot Camp Outline

Section 1: Understand Security Authorization
a. Concept of Authorization Process
b. Problem, Controls, Implement, Assess, Approve and Maintain
c. Authorization Evolution
e. Department of Defense (DoD) Risk Management Framework (RMF)
f. DoD: DoDI 8500.01 and DoDI 8510.01
g. CNSS: CNSSP-42, CNSSI-1253 and Appendix K Annexes, CNSSI-1253A, and CNSS 4009
h. NIST: SP 800-18, SP 800-37, SP 800-39, SP 800-53, SP 800,53A, SP 800-137, and SP 800-160
i. Roles and Responsibilities (NIST SP800-37 and DoD 8510.01)
j. DoD and Component Chief Information Officers (CIO)
k. Risk Executive (Function)
l. DoD and Component Senior Information Security Officer (SISO)
m. Authorizing Official (AO)
n. AO Designated Representative (AODR)
o. Information Owner (IO) /Steward
p. Common Control Provider (CC Provider)
q. Information System Security Manager (ISSM)
r. Information System Owner (ISO)
s. Information System Security Engineer ISSE)
t. Security Control Assessor (SCA)
u. User Representative (UR)
v. RMF Tools – DoDI 8510.01
w. eMASS and Information Assurance Support Environment (IASE)
x. Security Processes and Concepts
y. Adequate Security and Risk-Based Cost-Effective – OMB Circular A-130
z. Security Objectives: Confidentiality, Integrity and Availability
aa. Risk: Low, Moderate, and High
ab. Privacy Rules: HIPAA and Personally Identifiable Information (PII)
ac. Trust Relationships: Reciprocity and Documents
ad. Defense-in-Depth
ae. Risk Management (NIST SP800-39)
af. Risk Assessment (NIST SP800-30)
ag. Qualitative, Quantitative, and Quasi-Quantitative
ah. Risk Assessment Group Exercise

Section 2: RMF Step 1 – Categorize Information and Information System
a. System Security Plan – SP 800-18, SP 800-37
b. DoD IT Products, Services, and PIT- DoDI 8510.01
c. Categorization – CNSSI-1243, FIPS 199, amd S{800-60
d. Overlays- CNSSI- 1253 and SP800-53
e. Risk Impact Factors- CNSSI-1253 and SP800-53
f. Accreditation Boundaries – SP 800-18 and SP 800-37
g. Boundary and Categorization Group Exercise
h. Interconnecting Information Systems – SP 800-47
i. Registration – SP 800-53
j. Assigned Qualified Personnel- DoDD 8570.01 and DoDD 8140.01

Section 3: RMF Step 2 – Select Security Controls
a. Specific, Common and Hybrid Controls – SP 800-53, CNSSI-1253, and Sample SP
b. Type Control Group Exercise
c. Overlays – CNSSI-1253, SP 800-53, and Sample Overlay
d. Selecting Security Controls – CNSSI-1253, FIPS-200, and SP 800-53
e. Tailoring Controls – CNSSI-1252 and SP 800-53
f. Tailoring Controls Group Exercise
g. Compensating Controls- SP800-53
h. Compensating Control Group Exercise
i. Trustworthiness and Assurance – SP 800-53
j. Monitored Control Selection – SP 800-37
k. Approval and Registration- DoDI 8510.01
l. Knowledge Services and eMASS

Section 4: RMF Step 3 – Implement Security Controls
a. Security Control Implementation – SP 800-53
b. Control Documentation- SP800-18 and SP800-37
c. Approved Configurations, Tests and Checklists – SP 800-70, eMASS and IASE.mil
d. Security Content Automation Protocol (SCAP)- SP800-115 and SP800-117

Section 5: RMF Step 4 – Assess Security Controls
a. Assessment and Testing Methods – SP 800-53A and SP 800-115
b. Vulnerability Tools and Techniques – SP 800-53A and SP 800-115
c. Develop Security Assessment Plan and Report – SP 700-37 and Sample SAR
d. Assessor Expertise and Independence – SP 800-37 and DoDI 8510.01
e. Assess Security Control- SP800-53A and SP800-115
f. Conduct Security Control Assessments – SP800-37 and SP800-53

Section 6: RMF Step 5 – Authorize Information System
a. Special DoD Systems- DoDI 8510.01
b. Plan Of Actions and Milestones (POA&M) – OMB M-01-01 and Sample POA&M
c. Security Authorization Package – SP 800-37 and DoDI 8510.01
d. SSP, SAR, and POA&M
e. Authorization – SP 800-37 and DoDI 8510-01
f. Authority to Operate (ATO)
g. Interim Authorization to Test (IATT)
h. Denial of Approval to Operate (DATO)
i. Special Authorizations – DoDI 8510.01
j. Type Authorizations
k. Platform Information Technology (PIT) Authorizations
l. Contingency Strategies
m. Group Contingency Deployment Group Exercises

Section 7: RMF Step 6 – Monitor Security Controls
a. Information Security Continuous Monitoring (ISCM) – SP 800-137 and HBSS
b. Patch and Vulnerability Management – SP 800-40
c. Cloud Computing- FedRAMP, FedRAMP+, SP800-53, and SRG
d. DoD RMF Schedule, Status and Issues- DoDI 8510.01
e. Appendixes
f. Regulations and Standards
g. Authorization Evolution
h. DoD RMF Processes
i. Risk Management Framework Steps and Tasks
j. SDLC, RMF and FIPS/SP Pub Relationship Table
k. Information Security Plan (SP) Template
l. Control Families
m. Plan of Action and Milestones (POA&M)
n. Continuous Monitoring Action Samples
o. Resources Schedule of Continuous Monitoring Actions
p. Security Control Overlay Template
q. Security Control Monitoring Frequencies
r. Patch and Vulnerability Management ROI
s. DoD Cybersecurity Glossary

  • View Pricing/Schedule

    Check out dates and locations for this program

    See dates

    More information about bringing an event to you.

    More Information
  • Register Now

    Enroll now and start your learning adventure

    Start Here


As a veteran Training Camp offered me the opportunity to enhance my learning and change my field of work into a rapidly growing market. Definitely worth it!
Brandon McCartney
Although the course material is tough and sometimes seems daunting, the instructors are effective in getting through it.
Daniel Y
The training camp experience was great, informative, and just what I needed to jump start my training in RMF.
Lionel B HMS
The Training Camp experience was well organized and super-informative. The instructor's experience and ability to communicate made the training worth more than it's weight in gold! I highly recommend the CISSP course at Training Camp!
CL SecureStrux, LLC
CISSP instructor Ross Everett-knowledgeable, thorough and very easily understood. The location of class room was great in the metro D.C. Area. Hotel package was a fantastic deal. Going to return for cloud certs in no time.
Jia Hedman Leidos
I recommend taking this boot camp with Training Camp. The instructor was excellent, answered any questions that came up, discussed the topics thoroughly and was clear about the subject matter we were to cover.
HS U.S. Army
A must stop-by resort before any certification test. Teachers teach you something for life, rather than only for certification.
Zubir Ahmad
Training camp got me up to speed on the domains that I hadn't had tons of experience and in the end this made all the difference to ensure I attained my certification.
JS EZe Software Group
The Training Camp provided a great training environment for my Security+ certification. Feeding me information and knowledge through a fire hose was exactly what was needed for my study style. I will definitely consider Training Camp in the future.
Luke Swearingen Harris
The class was very interactive with students providing their real world experience to supplement the course material.
Chris Louie IronKey by Imation
01 010