• Classroom
Course Description

STS Systems Support, LLC (SSS) is pleased to offer an intense 5-day NIST Security Controls workshop for those personnel who must understand, implement, maintain, address and transition to the new NIST SP 800-53 Rev.4 (soon Rev. 5) security controls. It is highly recommended that the student completes the RMF Workshop or have a complete understanding or experience with the new NIST Risk Management Framework (RMF) / Security Authorization Process (SAP).

NIST, working with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), has established a common, FISMA compliant, foundation for information security/assurance across the entire federal government. The old, system-centric, NIST C&A process (NIST SP 800-37) has been revitalized (integrated into NIST’s RMF) and totally transformed into a “near real time risk management” process, based on continuous Information System monitoring – fully integrating the new SAP.

This workshop builds on and strengthens the students NIST RMF/SAP knowledge base. The blend of lecture and hands-on exercises is continued to provide the student with highly detailed information concerning the NIST SP 800-53, Rev.4 (soon Rev. 5) CNSSI 1253 security control selection and specification process and the guidance/activities necessary to translate the security controls identifi ed in the Information System’s Security Plan into an effective implementation.

Learning Objectives

Module 1: Introduction / Review
• Workshop Introduction / Key Concepts
• The Need to Protect Information and Information Systems
• Purpose and Applicability
• Target Audience
• Relationship to other Security Control Publications
• Organizational Responsibilities
• Q&A/End of Module 1 Exercise(s)

Module 2: Security Controls Fundamentals
• Introduction • External Service Providers
• Multi-tier Risk Management • Assurance and Trustworthiness
• Security Control Structure • Revisions and Extensions
• Security Control Baselines • Q&A/End of Module 2 Exercise(s)
• Security Control Designations

Module 3: The Process / Part 1: Selecting / Tailoring Security Controls
• Selecting Security Control
- Security Categorization
- Baseline Selection
• Tailoring Baseline Security Controls
- Identifying and Designating Common Controls
- Applying Scoping considerations
- Selecting Compensating Security Controls
- Assigning Security Control Parameter Values
- Supplementing Security Control Baselines
- Providing Additional Specifi cation Information for Control Implementation
• Q&A/End of Module 3 Exercise(s)

Module 4: The Process / Part 2: Overlays / Documenting / Systems
• Creating Overlays • New Development and Legacy Systems
• Documenting the Control Selection Process • Q&A/End of Module 4 Exercise(s)

Module 5: Implementing the Security Controls (Students will use Modified SP 800-53 Workbook)
• Implementation Tips • ICS Security Controls - SP 800--82
• The PM Controls • The AT Controls
• The Dash-1 Controls • The CA Controls
• The A&A Controls • The AC Controls
• The Privacy Controls • NIST SP 800-70
• International INFOSEC Standards

RMF Bonus Module

Framework Connections