September 21-22, 2020

Implement New NIST RMF & Meet 2020 FISMA Metrics




Day 1: Monday, September 21
8:00AM Seminar Overview and Introductions
8:30AM Review of New Requirements – Presidential, OMB, DHS and NIST
  • President’s Executive Order 13800
  • OMB Memos (HVA Framework – OMB M-17-09, 2019 FISMA Guidance, Privacy Reporting and On-Going Authorization, A-130)
  • DHS BODs
  • Risk Management Framework (RMF) – SP800-37
  • Cybersecurity Framework (CSF) – NIST CSF
 9:50AM Morning Break
 10:00AM NIST Special Publications Update
  Guest Speakers:  Victoria Yan Pillitteri, CISSP, Senior Information Security Specialist, National Institute of Standards and Technology (NIST) and  Eduardo Takamura, CISSP, MA, Information Security Specialist, National Institute of Standards and Technology (NIST)
11:10AM Authorization Boundary Identification
  • Group Real-World System Identification – Using Attendees’ System
  • Authorization Boundary Identification Exercise
 12:00PM Lunch Break
 1:00PM DHS Cybersecurity Initiatives Update
  Guest Speaker: Fabion (Frank) Husson, Insights Branch Chief, Cyber Security Division (CSD), U.S. Department of Homeland Security (DHS) (Invited)
   2:00PM Afternoon Break
   2:10PM System Categorization
  • Categorize Real-World System Exercise
  • Boundary and Control Review
2:45PM Simplified Risk Assessments
  • Risk Modeling:  Quantitative, Qualitative, and Hybrid – SP800-30/SP800-39
  • Categorization – FIPS-199/SP800-60
  • System Maximum Impact Level – SP800-30/SP800-39/SP800-60
  • Security Control Baseline/Best Practices – FIPS 200/SP800-53
3:45PM Adjourn
Day 2: Tuesday, September 22
8:00AM Security Controls (SP800-53)

  • Families
  • Specific, Common and Hybrid
  • Tailoring
9:00AM Security Control Exercises
  • Specific, Common and Hybrid Security Control Exercises
 10:00AM Morning Break
 10:10AM Tailoring and Compensating Control Exercises  
 11:00AM Leverage Government Initiatives
  • Security Content Automation Protocol (SCAP)
  • DoD Host-Based Security System (HBSS) Solutions
  • Assured Compliance Assessment Solution (ACAS)
  • Continuous Diagnostics and Mitigation (CDM) Program
  • Continuous Monitoring Dashboard
  • Bonding Operational Directives (BOD), EINSTEIN, Trusted Internet Connection (TIC), Managed Trusted Internet Protocol Services (MTIPS), and DHS Cybersecurity Hygiene
  • Reviews
 12:00PM Lunch Break
1:00PM Security Plans – SP800-18
  • Operations Manual and System Security Plan (SSP) – SP800-18
  • Security-focused Configuration Management Plan (SecCMP) – SP800-128
  • Patch Management Plan (PMP) – SP800-40
  • Information Security Control Monitoring Plan (ISCMP) – SP800-137
  • Incident Response Plan (IRP) – SP800-61/SP800-83
  • Contingency Plan (CP) – SP800-34
  • Cybersecurity Framework and Privacy Control Framework
1:50PM Afternoon Break
2:00PM Clouds, Security Services
3:00PM Cloud Accreditation and Reaccreditation Processes – FedRAMP
  Guest Speaker:  Federal Risk Accreditation Management Program (FedRAMP) Office (Invited)
3:30PM Summary
3:45PM Adjourn
Note: Many products will be noted, but noting them is not an endorsement.