November 18-19, 2019

Implement the New NIST RMF & Meet 2019 FISMA Metrics


Recently, the National Institute of Standards and Technology (NIST) released the final Risk Management Framework (RMF) standard (SP800-37, Rev 2), an update to the Security Control Baselines (draft SP800-53, Rev 5), and a revision to the NIST Cyber Security Framework (CSF).  RMF now requires an additional step: Preparation Step with eighteen new Tasks, and the security control baselines families have increased from 18 to 21, to include more privacy and supply chain security control families.  The President and OMB have also increased the requirement to implement the new CSF process into the FISMA process and DHS has initiated several new activities that can be leveraged by enterprises and systems to increase the security and meet on-going authorization efforts.

All of these updates have made major changes to Federal Cybersecurity requirements that will affect government and contractor information systems and enterprises.  This seminar will identify the changes and provide strategies for effectively and quickly implementing solutions for meeting the new requirements.

The seminar will review all of the new initiatives and requirements, which include the following:

  • President’s Executive Order 13800 (E.O. 1380):  Implementing CSF and deploying more automated solutions.
  • OMB Circular A-130:  On-going authorization, eliminate inefficient and wasteful reporting, leveraging the CSF, new incident response reporting, etc.
  • OMB Memorandums:  Security and Privacy, Security High Value Assets (HVA), FISMA Reporting, etc.
  • DHS Secretary Binding Operational Directives (BODs):  BOD-17-01 – Removal of Kaspersky-branded Products, BOD-18-01 – Enhance Email and Web Security, and BOD-18-02, High Value Assets.
  • FISMA 2019 Metrics:  Chief Information Officer (CIO), Inspector General (IG), and Senior Agency Official for Privacy (SAOP).
  • Frameworks:  System Development Life Cycle (SDLC), RMF, Department of Defense (DoD) RMF, CSF, System Security Engineering Framework (SSEF), Privacy Framework, etc.
  • Guidance:  CSF, Draft SP800-37 Rev 2, Draft SP800-53 Rev 5, Automation Support for Ongoing Assessment (NISTIR 8011), NIST Cybersecurity Practice Guides (SP1800 Series), etc.
  • Automation:  Continuous Diagnostics and Mitigation (CDM) Solutions and Dashboard, Host Based Security System (HBSS), Assured Compliance Assessment Solution (ACAS), and Security Content Automation Protocol (SCAP).
  • DHS Activities:  EINSTEIN, Trusted Internet Connection (TIC), Managed Trusted Internet Protocol Services (MTIPS), and DHS Cybersecurity Hygiene Reviews.
  • Clouds:  Federal Risk and Authorization Management Program (FedRAMP).

This seminar will include four group exercises using systems identified by the attendees to further instill the understanding of the RMF requirements. 

Guest speakers from NIST and DHS will be providing current information and guidance related to trends and the new FISMA reporting metrics, processes, standards, solutions, and requirements, current and future. Additional speakers from the National Institutes of Health (NIH) will provide a real-world implementation of their new consolidated SSP template.  Students will be provided with two new successful SSP documents.


  • Dawn Gonchar, ERA Security Team, Office of Extramural Research, Office of Electronic Research Administration, National Institutes of Health (NIH)
  • Thomas Mason, CISSP, Information System Security Officer, Electronic Research Administration, National Institutes of Health (NIH)
  • Jennifer Oar, Business Intelligence and Advanced Data Analytics Section Chief, Cybersecurity Performance Management (CPM) Branch, Federal Network Resilience (FNR) Division, Cybersecurity Infrastructure Security Agency (CISA)
  • Victoria Yan Pillitteri, CISSP, Senior Information Security Specialist, National Institute of Standards and Technology (NIST)

Jim Litchko, CISSP-ISSEP, the seminar instructor, brings real-world practical experience from supporting over 300 FISMA Agency, Military, Intelligence, and Commercial authorizations and continuous monitoring programs for systems in military, public and private sectors.  Additionally, he brings 30 years of experience in developing and selling security products and services to the public and private sectors. 

Bottom Line – This training seminar will make sense of all the recent changes and assist class participants in implementing the changes to successfully meet their FY19 RMF security and FISMA Metrics.

The course was built on the popular two-day Meeting FISMA Requirements course that has been taught for the past 10 years.  All exercises are new to ensure they relate to current systems and solutions that use practical strategies for leveraging recent changes into meeting your individual and enterprise FISMA responsibilities.  


Course Attendees Will

  • Gain an understanding of the cybersecurity frameworks, updated requirements and processes
  • Understand how the new Presidential and NIST changes and requirements will affect their security programs
  • Review government initiatives, like cybersecurity hygiene, FedRAMP, EINSTIEN, TIC, MTIPS, CDM, HBSS and ACAS solutions
  • Receive strategies on how to leverage these changes and initiatives to improve their security and make their FISMA efforts more effective
  • Learn how to conduct a risk assessment and use the results to identity and justify more effective security solutions and gain additional resources
  • Understand the CDM, SCAP, HBSS, and ACAS automated security solutions for meeting the President’s and OMB ISCM implementation requirements
  • Review and obtain a real-world example of solutions and reference documents
  • Identify new opportunities for innovative processes, controls, products, and services necessary to support these Presidential and NIST changes

Who Should Attend?

The intended audience for the course is for Federal Agency, DoD and Intelligence:

  • Authorization Officers (AOs), Inspector Generals (IGs)
  • Chief Information Officers (CIOs), Chief Financial Officers (CFOs), Chief Operations Officers (COOs), Chief Security Officers (CSOs)
  • Program and Systems Managers (PMs and SMs)
  • Senior Information Security Officers / Chief Information Security Officers ((SISOs/CISOs)
  • Information System Owners and Information Owners
  • Senior Agency Official for Privacy / Chief Privacy Officer (SAOP/CPO)
  • Senior Agency Official for Privacy (SAOP)
  • Information System Security Managers (ISSMs)
  • Information System Security Engineers (ISSEs)
  • System Security and Privacy Officers (ISSOs, SSO and SPOs)
  • Security Control Assessors (SCAs)
  • System Administrators (SysAdm)
  • Product and Service Providers, Consultants, Integrators and Supporting Contractors
  • Cybersecurity Professionals
  • Supporting Staff Members

Learning objectives

The learning objectives for this two-day, Executive, Manager and Operations Level course, are broad ranging and include a number of concepts and strategies including understanding:

  • Requirements of the new Presidential, OMB, DHS, and NIST requirements
  • Draft updates NIST CSF, Risk Management Framework (RMF – SP800-37, Rev 2), Security and Privacy Controls Catalog (SP800-53, Rev 5), and others
  • Strategies for leveraging government initiatives, like cybersecurity hygiene, EINSTEIN, TIC, MTIPS, CDM, HBSS and ACAS solutions
  • Potential strategies for effectively meeting the new FISMA requirements
  • Methods for reducing the amount of resources and paperwork
  • New opportunities for innovative processes, controls, products and services necessary to support these Presidential and NIST changes

Why Attend?

Explore in a vendor-neutral, interactive academic setting how to effectively meet the new Presidential and NIST Cybersecurity requirements and FISMA Metrics. Discover how to use practical strategies and automated tools in your organization and increase the security of your IT systems.  Identify with real-world user’s requirements for new innovative processes, controls, products and services necessary to support these and future changes.

Course Instructor

James Litchko, CISSP-ISSEP, CAP, MBCI, CMAS, Senior Security Expert, Litchko & Associates, Inc.

James Litchko

Mr. Litchko has been working as a security expert for over 30 years.  Jim created and taught the first graduate computer security course as an adjunct professor at Johns Hopkins University for 10 years, military officer for 20 years, and was a project manager and executive at NSA for five years.  He has supervised and supported the securing of over 300 military, government and commercial IT systems. For 40 years, he successfully supported the development and sales of security products and service for seven companies, including Symantec, Telos, Security Solutions Corporation, Trusted Information Systems (Network Associates), System Research and Development (IBM), MountainWave (Symantec), and Internet Security Advisors Group (HP).  Currently, he is a senior security expert for Litchko & Associates and is a Certified (ISC)2 Instructor teaching the CISSP, Engineering Professional (ISSEP), and Certified Authorization Professional (CAP) review courses, and the DIACAP and Continuous Monitoring courses for (ISC)2, Global Knowledge, Digital Government Institute, and Johns Hopkins University.  A student of Ken Blanchard, Ph.D., the author of The One-Minute Manager®, Jim holds a Masters degree from Johns Hopkins University and has authored five books on security and management topics, to include:  FY2016 DoD RMF Manual, FY2016 FISMA Authorization Process Guide: A Review for the (ISC)2® CAP® Certification Exam, KNOW IT Security, KNOW Your Life, 2010 Official DIACAP for Global Knowledge, and co-authored (ISC)2‘s Official Information System Security Management Professional, Cyber Threat Levels Response Handbook, and Know Cyber Risk.  Soon to be released Implementing Practical Cybersecurity.


City Club of Washington, DC

555 13th Street, NW
Columbia Square
Washington, DC 20004



Early Bird Government: $1,095 (ends Nov 1)

Early Bird Industry: $1,195 (ends Nov 1)


PMI® PMPs will earn 11 PDUs for attending this Training Seminar.

SSCP, CISSP, ISSEP, ISSMP, ISSAP, CSSLP or CAP credential holders from (ISC)2 can receive 11 Continuing Professional Education (CPE) credits. Credential holders must enter their CPE credits in the usual manner on the (ISC)2 website.

CISA, CISM, CRISC and CGEIT credential holders from ISACA can earn 11 CPE credits.  (Any course that pertains to at least one of the job practice areas of the certification will qualify for CPEs. It is up to the certified person to determine if the course or activity qualifies for CPE.)

Why attend?

Explore in a vendor-neutral, interactive, academic setting and learn how to effectively implement RMF, meet the new DHS, DOD, OMB and NIST FISMA requirements, and use practical strategies and automated tools in your organization to increase the security of your IT systems.

What Past Attendees said:

“I learned a lot and was able to ask questions about specific issues after class.”

“I’ve attended other related training and this was by far the best value.”

“Litchko is seasoned and really good at maintaining interest.”

PMI, PMP are registered trademarks of The Project Management Institute.