Information Systems Certification and Accreditation Professional

Course Outline

Module 1 – Introduction 

• Logistics
• Introduction
• Class Rules
• The ISCAP Credential
• What information will be covered?
• Relationship to Other Processes
• Changes in Terminology
• Understanding the Risk Management Framework
• NIST SP800-37 Rev1
• Emphasis of SP800-37
• Multi-tiered Risk Management 
• The Risk Management Framework
• What information will be covered?
• Summary 

 Module 2 - Introduction to the RMF

• What’s covered in this domain?
• The RMF
• The pillars of CIA
• National Strategy on Cybersecurity
• Cyber Attacks
• Federal Policy
• Actions of Executive Agencies
• Federal Policies
• E-Government Act of 2002
• FISMA
• Applying NIST 
• Special Publications
• 800-39 Purpose
• NIST SP 800-39
• Information Systems 
• What is Risk?
• Types of Risk
• Security Risk
• Information Security Risk
• Core Documents 
• Risk Management
• Risk Management Process
• IS Risk Management
• Threats
• Objectives of the RMF
• Effective Risk Management
• Risk Tolerance / Acceptance
• Risk Assessment
• Risk Response
• Risk Monitoring
• Risk Management Process
• Frame Risk
• Multi-tiered Risk Management 
• Key Parts of Tier 1
• Tier 2 Activities
• Key Parts of Tier 2 
• IS Requirements Integration
• Tier 3
• Developing Trust
• Trustworthiness
• Frame Risk
• Frame Risk Activities
• Risk Assessment
• Assess Risk Activities
• Threat
• Vulnerability
• Likelihood
• Adversarial Likelihood
• Impact
• Aggregation
• Quantitative Risk 
• Qualitative Risk
• Semi-Quantitative
• Risk Assessment Process
• Step 1 – Preparing for the Assessment
• Conducting the Risk Assessment
• Conducting the Risk Assessment
• Communicating and Sharing Risk Assessment Information 
• Maintaining the Risk Assessment 
• Risk Management Process
• Risk Responses
• Risk Response Strategy
• Risk Management Process
• Monitoring Risk
• Risk Monitoring Activities
• Moving to the RMF
• The RMF
• Security Control Assessment
• Applying the RMF
• Applying the RMF cont.
• The RMF Process
• Summary

Module 3 - The Software Development Life Cycle

• The RMF Process
• Purpose of SP800-37
• Definitions
• Guidelines for Implementing SP800-37
• Relationship with other SPs
• Tiered Risk 
• Management Approach
• Steps of the RMF
• Effective Controls
• The SDLC
• Balancing all Considerations
• The Phases of the SDLC Security Requirements
• Benefits of Early Integration
• Integration
• Integrated Project Teams
• Role of ISSOs
• Reuse of Information
• Benefits of Reuse
• Identifying Boundaries
• Well-defined Boundaries
• Correct Boundary Size
• Size of Information System Boundaries
• Key Words in Boundary Determination
• Software Applications
• Boundaries for Complex Systems
• Complex System Boundaries
• What is Security?
• Allocation of Controls to Subsystems
• Types of Controls
• Architecture and Controls
• Common Controls
• Control Selection
• Security Control Allocation
• Summary

Module 4 - RMF Step 1

• The RMF Tasks
• RMF Tasks
• Milestones
• Sequence
• The Last Step
• Legacy Systems
• Level of Effort Required
• The RMF Process
• Security Categorization
• Categorization
• Map Impact Levels
• Influence of Architecture
• Accuracy of Categorization
• Impact–based Categorization
• Categorization Levels
• Format of Categorization
• Categorization
• Appropriate Controls
• SSP
• Information System Description
• Information System Registration
• System Registration
• Milestone Checkpoint # 1
• Summary

Module 5 - RMF Step 2 

• Common Control Identification
• Common Controls
• Supplementing Common Controls
• Inheriting Controls
• Common Control Providers
• Documentation of Common Controls
• Security Control Selection
• Selection of Controls
• Control Selection
• Preparing for Monitoring
• Monitoring Strategy
• Control Monitoring
• Effective Monitoring
• Continuous Monitoring
• Security Plan Approval
• Milestone Checkpoint # 2

Module 6 - RMF Step 3 

• The RMF Process
• Security Control Implementation
• Security Controls
• Security Control Assurance
• Common Controls
• Assessments
• Security Control Documentation
• Documentation
• Functional Description
• Milestone Checkpoint #3

Module 7 - RMF Step 4

• The RMF Process
• Assessment Preparation
• The Assessment Plan
• Purpose of the Plan
• Type of Assessment
• Approval of the Plan
• External Providers
• Assessor Competence
• Assessor Independence
• Security Control Assessment
• Control Assessments
• Timing of Assessments
• Assess and Recommend Findings
• Incremental Assessments
• Access
• Security Assessment Report
• Assessment Report
• Determination of Risk
• Assessment Results
• Remediation Actions
• Report Findings
• Response to Findings
• Reassessment
• Updating the Security Plan
• The Updated Plan
• Optional Addendum
• Milestone #4

Module 8 - RMF Step 5

• The RMF Process
• Plan of Action and Milestones
• PoA&M
• Milestones
• Monitoring the PoA&M
• Documenting Weaknesses
• PoA&M Not Required
• Security Authorization Package
• Common Controls
• Updating the SSP
• Risk Determination
• Assess Current Security State
• Risk Management Strategy
• Risk Acceptance
• Explicit Acceptance of Risk
• Risk Decision
• The Authorization Decision
• Communicating the Decision
• Authorization to Operate
• Termination Date
• Interim Authorization to Test
• Interim Authorization to Operate
• Type Authorization
• Examples of Type Authorizations
• Authorization Approaches
• Authorization Rescission
• Denial of Authorization
• Authorization Decision Document
• The Decision
• Termination Date
• Decision Document
• Change in Authorizing Official
• Acceptance of Previous Authorization
• Milestone Checkpoint #5 

Module 9 - RMF Step 6

• The RMF Process
• Information System and Environment Changes
• Constant Change
• Controlling Change
• Record Changes
• Impact on Security
• Impact on Controls
• Documenting Impact
• Reauthorization
• Ongoing Security 
• Control Assessments
• Ongoing Monitoring
• Continuous Monitoring
• Control Monitoring
• Ongoing Remediation Actions
• Updated Assessments
• Remediation Actions
• Reassessing Controls
• Key Updates
• Updating the SSP
• Updating the PoA&M
• Supporting 
• Continuous Monitoring
• Security Status Reporting
• Reporting to 
• the Authorizing Official
• Security Status Reports
• Frequency of Reporting
• Reauthorization
• Ongoing Risk 
• Determination and Acceptance
• Reviewing Reports
• Metrics and Dashboards
• Maintaining Security
• Information System Removal and Decommissioning
• Disposal
• Milestone Checkpoint #6