Implement the New NIST RMF Standards and Meet the 2023 FISMA Metrics
Two-day online class is hosted on Zoom. 8:00am-4:00pm ET each day. View Agenda
What are the impacts on the new Federal Information Security Management Act (FISMA) reporting resulting from the new documents released in 2022? Some of the key documents are:
- Presidential Executive Order 14028 that has increased emphasis on advancing toward “Zero-Trust Architecture” and “Endpoint Detection and Response (EDR)” and moving systems to FedRAMP clouds.
- Office of Management and Budget’s (OMB’s) M-21-02: Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements, has changed the emphasis on Cybersecurity status reporting for Fiscal Years 2022 and 2023.
Additionally, NIST has released the finals of many Risk Management Framework (RMF) standards (SP800-53 Rev 5 – Security Controls, SP800-53B – Security Control Baselines, Privacy Framework, SP800-160 Vol 2 – Systems Security Engineering, SP800-161 Rev 1 – Supply Chain Risk Management, SP800-171 Rev 2 – Controlled Unclassified Information (CUI) and High Valued Assets (HVA)), and revisions to the NIST Cyber Security Framework (CSF). RMF now requires an additional step, Preparation Step with 18 new Tasks, and the security control baselines families have increased from 18 to 20 to include more privacy and supply chain security control families. The President and OMB also increased the requirement to implement to new CSF process into the FISMA process and DHS has initiated several new activities that can be leveraged by enterprises and systems to increase the security and meet on-going authorization efforts.
All of these have made major changes to Federal Cybersecurity requirements that will affect government and contractor information systems and enterprises. This 2-day seminar will identify the changes and provide strategies for effectively and quickly implementing solutions for meeting the new requirements.
The seminar will review of all the new initiatives and requirements, which include the following:
- President’s Executive Order 14028 (E.O. 14028): Implementing Zero-trust architecture, deploying more automated EDR solutions and moving systems to the clouds
- 2021 FISMA Report to Congress: OMB’s analysis of agencies’ application of the intrusion detection and prevention capabilities across the Executive Branch
- OMB Circular A-130: On-going authorization, eliminate inefficient and wasteful reporting, leveraging the CSF, new incident response reporting, etc.
- OMB Memoranda: Security and Privacy, Security High Value Assets (HVA), FISMA Reporting, etc.
- Cybersecurity and Infrastructure Security Agency (CISA): Cybersecurity Incident & Vulnerability Response Playbooks
- DHS Secretary Binding Operational Directives (BODs) and Emergency Directives: BOD 22-01 – Reducing Exploited Vulnerabilities, BOD 20-01 – Develop and Publish a Vulnerability Disclosure Policy, BOD 19-02 – Vulnerability Remediation Requirements for Internet-Accessible Systems, ED 22-03 – Mitigate VMWARE Vulnerabilities, etc.
- FISMA 2022 Metrics: Chief Information Officer (CIO), Inspector General (IG), and Senior Agency Official for Privacy (SAOP) Frameworks: System Development Life Cycle (SDLC), RMF, Department of Defense (DoD) RMF, CSF, System Security Engineering Framework (SSEF), Privacy Framework, High Value Assets (HVA), Unclassified Controlled Information (UCI), etc.
- Guidance: CSF, Draft SP800-37 Rev 2, SP800-53 Rev 5, SP800-53B, SP800-160 Vol 2, SP800-161 Rev 1, SP800-171 Rev 2, Automation Support for Ongoing Assessment (NISTIR 8011), NIST Cybersecurity Practice Guides (SP1800 Series)
- Automation: Continuous Diagnostic Mitigation (CDM) Solutions and Dashboard, Host-Based Security System, Assured Compliance Assessment Solution (ACAS), and Security Content Automation Protocol (SCAP)
- DHS Activities: EINSTEIN, Trusted Internet Connection (TIC), Managed Trusted Internet Protocol Services (MTIPS), and DHS Cybersecurity Hygiene Reviews
- Clouds: Federal Risk and Authorization Management Program (FedRAMP)
This seminar will include numerous group exercises to further instill the understanding of the RMF requirements.
Guest speakers from NIST, DHS, and FedRAMP will be providing current information and guidance related to trends and the new FISMA reporting metrics, processes, standards, solutions, and requirements, current and future.
Jim Litchko, CISSP-ISSEP, the seminar instructor, brings real-world practical experience from supporting over 300 FISMA Agency, Military, Intelligence, and Commercial authorizations and continuous monitoring programs for systems in military, public and private sectors. Additionally, he brings 30 years of experience in developing and selling security products and services to the public and private sectors.
Additionally, students will be provided with electronic versions of two successful SSP documents, reference (directives, standards, directives, etc.), glossaries and acronym lists.
Bottom Line – This training seminar will make sense of all the recent changes and assist class participants in implementing the changes to successfully meet your FY23 RMF security and FISMA Metrics.
The course was built on the popular two-day Meeting FISMA Requirements course that has been taught for the past 12 years. All exercises are new to ensure they relate to current systems and solutions use practical strategies for leveraging recent changes into meeting your individual and enterprise FISMA responsibilities.
Course attendees will:
- Gain an understanding of the cybersecurity frameworks, updated requirements and processes
- Understand how the new Presidential and NIST changes and requirements will affect their security programs
- Review government initiatives, like cybersecurity hygiene, FedRAMP, EINSTEIN, TIC, MTIPS, CDM, HBSS and ACAS solutions
- Receive strategies on how to leverage these changes and initiatives to improve their security and make their FISMA efforts more effective
- Learn how to conduct a risk assessment and use the results to identity and justify more effective security solutions and gain additional resources by influencing their organization’s planning, programming, and budget processes
- Understand the CDM, SCAP, HBSS, and ACAS automated security solutions for meeting the President’s and OMB ISCM implementation requirements
- Review and obtain a real-world example of solutions and reference documents
- Identify new opportunities for innovative processes, controls, products, and services necessary to support these Presidential and NIST changes
Who Should Attend
The intended audience for the course is for Federal Agency, DoD and Intelligence employees and contractors:
- Authorization Officers (AOs), Inspector Generals (IGs)
- Senior Accountable Official for Risk Management (SAORM)
- Chief Information Officers (CIOs), Chief Financial Officers (CFOs), Chief Operations Officers (COOs), Chief Security Officers (CSOs)
- Business/Mission Owners, Program and Systems Managers (PMs and SMs)
- Senior Information Security Officers / Chief Information Security Officers ((SISOs/CISOs)
- Information System Owners, Common Control Providers (CCPs) and Information Owners
- Senior Agency Official for Privacy (SAOP) / Chief Privacy Officer (SAOP/CPO),
- Chief Acquisition Officer (CAO) and Enterprise Architect
- Information System Security Managers (ISSMs)
- Information System Security and Privacy Engineers (ISSEs, SSEs, and SPEs)
- System Security and Privacy Officers (ISSOs, SSO and SPOs)
- Security Control Assessors (SCAs and CAs)
- System Administrators (SysAdm)
- Product and Service Providers, Consultants, Integrators and Supporting Contractors
- Cybersecurity Professionals
- Supporting staff members
The learning objectives for this two-day, Executive, Manager and Operations Level course, are broad ranging and include a number of concepts and strategies including understanding the:
- Requirements of the new Presidential, OMB, DHS, and NIST requirements
- Draft updates to include NIST CSF, Risk Management Framework (RMF – SP800-37 Rev2), Security and Privacy Controls Catalog (SP800-53 Rev5 and SP800-53B)
- Strategies for leveraging government initiatives, like cybersecurity hygiene, EINSTEIN, TIC, MTIPS, CDM, HBSS and ACAS solutions
- How to influence your organization’s planning, programming, and budget processes
- Potential strategies for effectively meeting the new FISMA requirements
- Methods for reducing the amounts of resources and paperwork
- New opportunities for innovative processes, controls, products and services necessary to support these Presidential and NIST changes
Earn PDUs / CPEs
- SSCP, CISSP, ISSEP, ISSMP, ISSAP, CSSLP or CGRC credential holders from (ISC)2 can receive 14 Continuing Professional Education (CPE) credits. Credential holders must enter their CPE credits in the usual manner on the (ISC)2website for attending this Training Seminar.
- CISA, CISM, CRISC and CGEIT credential holders from ISACA can earn 14 CPE credits. (Any course that pertains to at least one of the job practice areas of the certification will qualify for CPEs. It is up to the certified person to determine if the course or activity qualifies for CPE.)
What Attendees Will Receive
- Course Manual, Study Guide, References, and Training Materials
- Electronic versions of two successful SSP documents, reference (directives, standards, directives, etc.), glossaries and acronym lists
- List of current military, government and commercial continuous monitoring tools supporting
- Certificate of Completion
Explore in a vendor-neutral, interactive academic setting how to effectively meet the new Presidential and NIST Cybersecurity requirements and FISMA Metrics, and use practical strategies and automated tools in your organization, and increase the security of your IT systems, and to identify with real-world user’s requirements for new innovative processes, controls, products and services necessary to support these and future changes.
- Attend the entire program
- Respond to all poll questions
- Complete and submit the post-event survey
CISA, CISM, CRISC and CGEIT credential holders from ISACA can earn 11 CPE credits. (Any course that pertains to at least one of the job practice areas of the certification will qualify for CPEs. It is up to the certified person to determine if the course or activity qualifies for CPE.)
About the Instructor
James Litchko, CISSP-ISSEP, CAP, MBCI, CMAS, Senior Security Expert, Litchko & Associates, Inc.
Mr. Litchko has been working as a security expert for over 40 years. Jim created and taught the first graduate computer security course as an adjunct professor at Johns Hopkins University for ten years, military officer for twenty years, and was a project manager and executive at NSA for five years. He has supervised and supported the securing of over 300 military, government and commercial IT systems. For 40 years, he successfully supported the development and sales of security products and service for seven companies, including Symantec, Telos, Security Solutions Corporation, Trusted Information Systems (acquired by Network Associates), System Research and Development (acquired by IBM), MountainWave (acquired by Symantec), and Internet Security Advisors Group (acquired by HP). Currently, he is a senior security expert for Litchko & Associates and is a Certified (ISC)2 Instructor teaching the CISSP, Engineering Professional (ISSEP), and Certified Authorization Professional (CAP) review courses, and the DIACAP and Continuous Monitoring courses for (ISC)2, Global Knowledge, Digital Government Institute, and Johns Hopkins University. A student of Ken Blanchard, Ph.D., the author of The One-Minute Manager®, Jim holds a Master’s degree from Johns Hopkins University and has authored five books on security and management topics, to include: FY2010-2021 DoD RMF Manuals, FY2010-2022 FISMA Authorization Process Guide: A Review for the (ISC)2® CAP® Certification Exam, KNOW IT Security, KNOW Your Life, 2010 Official DIACAP for Global Knowledge, and co-authored (ISC)2‘s Official Information System Security Management Professional, Cyber Threat Levels Response Handbook, Know IT Security, and Know Cyber Risk. Teaching virtual courses Internationally for 9 years.