Implementing RMF & FISMA Requirements for FY2017

MARCH 1 – MARCH 2, 2017

Implementing RMF & FISMA Requirements for FY2017


Every year, the Office of Management and Budget (OMB), Department of Homeland Security (DHS) are raising the FISMA requirements to achieve the ultimate goal of “Near-Real-Time System Security Awareness” and “Ongoing Authorization”.  All Agencies and Military elements now have Continuous Diagnostics & Mitigation (CDM), Host Based Security System (HBSS), and Assured Compliance Assessment Solution (ACAS) options to increase the security of their systems and to meet their FISMA Metrics for FY2017.  Most people are asking:

  • How will FISMA be impacted by the Presidential Transition?
  • What changes with the new OMB A-130?
  • Which of the over 200 CDM/HBSS/ACAS automated solutions will support our system/enterprise security requirements and will help us meet our FY2017 FISMA Metrics?
  • How much security is enough to counter the existing real-world threats?
  • How do we implement “Ongoing Authorization” for our systems?
  • What are the Risk Management Framework (RMF/DoD RMF) and Cybersecurity Framework (CSF)

If you are in a Federal Agency, Military, or supporting contractor organization, this 2-day non-technical seminar will provide the answers to these questions by providing the concepts, processes, solutions, templates, and strategies to help you meet your cybersecurity and FISMA requirements.

Course Details:

OMB, DHS, Department of Defense (DoD), Committee of National Security Systems (CNSS), and the National Institute of Standards and Technology (NIST) have made major advances in improving the security of Federal information technology (IT) systems.  They have created new standards, processes, and solutions that are streamlining and automating security and moving us closer to the goal of total near-real-time security awareness.  At the end of this seminar attendees will understand how to leverage:

  • The Presidential Transition’s increased emphasis on Cybersecurity
  • New automated solutions provide by CDM, HBSS and ACAS to support “ongoing authorizations” and meet the FISMA metrics
  • Modified RMF and CSF processes for effectively and accurately identifying and documenting a system’s security needs
  • Impact of OMB’s new  Circular No. A-130
  • System deployment strategies to protect against evolving threats and attacks, like, leveraging authorization boundaries, Security Overlays and Templates,
  • Compensating/Common/Hybrid Controls, “air-gaps” and “connect-and-protect”, etc.
  • Simple planning and management tools, like Cybersecurity Calendar and Cybersecurity Journal
  • Organization’s Sponsors:  Authorization Official’s, Facilities’, Physical, Security’s, Human Relations’, Operation’s, Budget’s, and Inspector General’s (IG’s) staffs

This course is about how to implement these together to successfully meet your enterprise and systems’ security and FISMA FY2017 Metrics.

This course was built on the popular 2-day Meeting FISMA Requirements course that has been taught for the past 8 years.  All exercises are new to ensure they relate to current systems and solutions use practical strategies for leveraging recent changes into meeting your individual and enterprise FISMA responsibilities in FY2017.  Attendees will gain a practical understanding of the strategies by working real-world examples during group activities and by reviewing actual samples of the key FISMA documents:  

  • Security Plan (SP)
  • Risk Assessment Report (RAR)
  • Security Assessment Report (SAR)
  • Plan of Action and Milestones (POA&M)
  • Information Security Continuous Monitoring Plans (ISCMP
  • Cybersecurity Calendar
  • Cybersecurity Journal
  • RMF Security Control Baseline Tool (RMFSecCtrlBT)
  • CDM, HBSS, ACAS, and SCAP Product Solutions Cross Reference to meeting OMB CM Implementation requirements

Speakers from NIST and DHS will be providing current information and guidance related to trends and the new FISMA reporting metrics, processes, standards and solutions.  The course instructor brings real-world practical experience from supporting over 300 FISMA Agency, Military, Intelligence, and Commercial authorizations and continuous monitoring programs for systems in military, public and private sectors.

Course Attendees Will:

  • Gain a thorough understanding of the new FY2017 FISMA requirements and processes (FISMA metrics, CyberScope and CyberStat Reviews, etc.)
  • Receive strategies on how to leverage these changes to improve their security and make their FISMA efforts more effective
  • How to create a Cybersecurity Calendar and Cybersecurity Journal to effectively manage their cybersecurity actions and increase resources for improving their system and enterprise security
  • Understand the a new, modified approach to conducting the RMF
  • Identify what “Near-Real-Time” means in continuous monitoring and ongoing authorization
  • Receive an understanding of different security strategies, like “air-gaps” and “connect-and-protect”
  • Review the automated solutions and how to use them
  • Learn how to conduct a risk assessment and use the results to identity and justify more effective security solutions and gain additional resources
  • Identify CDM, SCAP, HBSS, and ACAS automated security solutions for meeting OMB CM implementation requirements
  • Participate in solving problems related to establishing effective boundaries, conducting risk assessments, facilitating group solutions, leveraging common controls, tailoring security controls and using security overlays templates, and identifying automated solutions
  • Receive the RMF Security Control Baseline Tool (RMFSecCtrlBT)

Learning objectives:

The learning objectives for this two-day, Executive, Manager and Operations Level course, are broad-ranging and include a number of concepts and strategies, including understanding the:

  • SP800-37, Revision 1, and SP800-39 standards for the new Authorization Process and Risk Management Framework
  • CNSSI-1253 process and supporting documents
  • New DOD RMF Process and the Transition from DIACAP, (DODI 8500.01 and DODI 8510.01)
  • Updated NIST SP 800 series documents that support the new process, e.g., risk assessments (SP800-30, Rev1), security controls (SP800-53, Rev4), security control testing (SP800-53A, Rev4) and ISCM planning (SP800-137)
  • How to meet the new FISMA Report Metrics
  • New practical, modified RMF process for successfully securing their systems in your environment and culture
  • Methods for reducing the amount of resources and paperwork
  • How to leverage the Security Overlay Templates
  • Answers to “How much is enough?” using “cost-effective and risk-based” methodologies
  • Strategies for developing key FISMA documents, with samples of:  SP, RAR, POAM, SAR, and ISCMP
  • How to create your own personal Cybersecurity Calendar and Cybersecurity Journal to effectively manage your FISMA actions and gain resources to support your security improvements
  • CDM, HBSS and ACAS solutions and where to use them
  • How to use the RMF Security Control Baseline Tool (RMFSecCtrlBT)

The course includes:

  • Course Manual, Study Guide, and Training Materials
  • Samples of Key FISMA documents:  SP, RAR, SAR, POAM, ISCMPs, and Cybersecurity Calendar
  • List of current military, government and commercial continuous monitoring tools
  • RMF Security Control Baseline Tailoring Tool
  • Certificate of Completion
  • Continental Breakfast and Lunch

Course Instructor:

James Litchko, CISSP-ISSEP, CAP, MBCI, CMAS, Senior Security Expert, Litchko & Associates, Inc.

James Litchko, Course InstructorMr. Litchko has been working as a security expert for over 30 years.  Jim created and taught the first graduate computer security course as an adjunct professor at Johns Hopkins University for ten years, military officer for twenty years, and was a project manager and executive at NSA for five years.  He has supervised and supported the securing of over 300 military, government and commercial IT systems.  Over the past seven years alone, he has supported the securing of IT systems at DHS, VHA, NASA, DOE, EPA, GAO, USDA, USAF, DOJ, and FEMA.  

Currently, he is a senior security expert for Litchko & Associates and is a Certified (ISC)2 Instructor teaching the CISSP, Engineering Professional (ISSEP), and Certified Authorization Professional (CAP) review courses, and the DIACAP and Continuous Monitoring courses for (ISC)2, Global Knowledge, Digital Government Institute, and Johns Hopkins University.  

A student of Ken Blanchard, Ph.D., the author of The One-Minute Manager®, Jim holds a Masters degree from Johns Hopkins University and has authored five books on security and management topics, to include:   FY2016 DoD RMF Manual, FY2016 FISMA Authorization Process Guide: A Review for the (ISC)2® CAP® Certification Exam, KNOW IT Security, KNOW Your Life, 2010 Official DIACAP for Global Knowledge, and co-authored (ISC)2’s Official Information System Security Management Professional, Cyber Threat Levels Response Handbook, and Know Cyber Risk.




By submitting this form, you are granting: Digital Government Institute, 1934 Old Gallows Road, Suite 350, Vienna,, VA, 22182, permission to email you. You may unsubscribe via the link found at the bottom of every email. (See our Email Privacy Policy ( for details.) Emails are serviced by Constant Contact.


PMI® PMPs will earn 11 PDUs for attending this Training Seminar

SSCP, CISSP, ISSEP, ISSMP, ISSAP, CSSLP or CAP credential holders from (ISC)2 can receive 11 Continuing Professional Education (CPE) credits. Credential holders must enter their CPE credits in the usual manner on the (ISC)2 website.

CISA, CISM, CRISC and CGEIT credential holders from ISACA can earn 11 CPE credits.  (Any course that pertains to at least one of the job practice areas of the certification will qualify for CPEs. It is up to the certified person to determine if the course or activity qualifies for CPE.)

Why attend?

Explore in a vendor-neutral, interactive, academic setting and learn how to effectively implement RMF, meet the new DHS, DOD, OMB and NIST FISMA requirements, and use practical strategies and automated tools in your organization to increase the security of your IT systems.


Attendees said:

“I learned a lot and was able to ask questions about specific issues after class.”

“I’ve attended other related training and this was by far the best value.”

“Litchko is seasoned and really good at maintaining interest.”