top of page

Risk Management Framework (RMF) & (ISC)2 CAP


Risk Management Framework (RMF) & (ISC)2 CAP 
32 Hours

This course covers essential skills and knowledge concerning the Risk Management Framework (RMF) as defined by the National Institute of Standards and Technology (NIST) in support of Federal Information Security Management Act (FISMA). In addition, this course prepare the student for the (ISC)2 CAP (Certified Authorization Professional formerly the Certification and Accreditation Professional) exam.

College: N/A Contract Course - Contract Instructor for more information.

Online during the day Pacific time

In person during winter or summer break

Audience Recommended Prerequisites

The student should have experience, knowledge, or skills in any of the following areas:

  • Information Assurance and IT Security

  • Information Risk Management

  • Certification, system testing and continuous monitoring

  • Systems Administration

  • 1 - 2 years of general technical experience

  • 2 years of general systems experience

  • 1 - 2 years of database/systems development/network experience

  • Information Security Policy

  • Technical or auditing experience within government, the U.S. Department of Defense, the financial or heath care industries, and/or auditing firms

  • Strong familiarity with NIST documentation

Recommended Texts
Official (ISC)2® Guide to the CAP® CBK®, Second Edition by Patrick D. Howard
Jul 18, 2012
ISBN-13: 978-1439820759
Available at Amazon

Student Learning Outcomes

  • Describe the the six steps of the risk management framework

  • Describe the processes and tasks necessary for the risk management framework

Measurable Objectives

At the completion of the course, students should be able to describe and comprehend:

  • The risk management approach to security authorization

  • The risk management framework steps

  • Roles and responsibilities related to the risk management framework

  • The relationship between the RMF and SDLC

  • The relationship between the RMF and DIACAP

  • The relationship between the RMF and NIACAP

  • The risk management framework in relation to Critical Infrastructure and Cyber Security

  • The legal regulatory and other requirements for security authorization

  • Common controls and security control inheritance

  • Ongoing monitoring strategies

  • The categorization of the system

  • Information systems security boundaries

  • Selecting and documenting security controls

  • How to develop a security control monitoring strategy

  • The need for review and approval of the system security plan

  • How to implement selective security controls and document the implementation

  • How to prepare for security control assessment

  • How to establish a security control assessment plan

  • How to determine the security control effectiveness

  • How to develop the initial security assessment report

  • The need for remediation actions

  • How to develop a plan of actions and milestones

  • The needed documentation for security authorization package

  • Risk Assessment and Management

  • Acceptable risk

  • The impact of changes to systems and environments

  • The need to perform ongoing security control assessments

  • The need for conduct ongoing remediation actions

  • Updating the documentation understand the need to perform periodic security status reports

  • The need and perform ongoing risk determination acceptance

  • Issues related to decommissioning or removing a system

Course Outline (Lessons)


  1. (ISC)2 CAP Certification

  2. Introduction

  3. Building a Successful Program

  4. RMF Roles and Responsibilities

  5. The RMF Life Cycle

  6. Why RMF Programs Fail or Lack Efficiency

  7. RMF Project Planning

  8. System Categorization and Definition

  9. Security Categorization

  10. Information Systems Boundaries

  11. Security Control Selection and Documentation

  12. Minimum Security Baselines and Best Practices

  13. System Security Plan (SSP)

  14. Control Implementation

  15. Prioritized Approach

  16. Configuration Management

  17. Security Procedures

  18. Coordinating Security for Interconnected Systems

  19. Assessing Security Controls

  20. Remediation Planning

  21. Essential RMF Documentation

  22. Assessing Risk

  23. Documenting the Authorization Decision

  24. Continuous Monitoring

  25. Contingency Planning

  26. Security Awareness

  27. Incident Response

  28. Framework for Improving Critical Infrastructure Cybersecurity

  29. Review


Pre-class Preparation
In order to get the most out of this class, please complete the following tasks before attending the class.  If you do not complete these tasks before the class, make sure you have time to complete these before you take the exam.
Important Reading

Download and read through the following documents:

Read the Official (ISC)2 book:

  • Official (ISC)2 Guide to the CAP CBK (Second Edition)

You may notice from the CAP Candidate Information Bulletin that is stresses NIST documents.  The main document is NIST SP 800-37 Rev 1 (or latest revision).  This is a must read.  If you don’t read it, the probability that you will pass the exam is greatly diminished.  Read through the following documents:


Recommended Additional Reference Materials
If time permits read the list of NIST and other documents listed in the CAP Candidate Information Bulletin.
Understanding NIST documents is the key to passing this exam.   Read as many of them listed in the CAP Candidate Information Bulletin as you can.  Most importantly: first and foremost you need to read NIST SP 800-37 Rev 1. 


NIST SP Publications can be found at the following website:


Optional Activities (If time permits)
Read through the following documents:

Syllabus subject to change on notification by instructor.  If you have any questions about this syllabus contact your instructor.

Related Blog Posts
bottom of page