Center for Qualified CyberSecurity Excellence & Mastery

Get Q/ualified!


Q/IAP non degree Qualified/ Information Assurance Professional CyberSecurity Certificate of Mastery CoM

Q/C&A RMF Qualified/ Certification & Accreditation Class May 15-19 2017

Do you need to implement the RMF process to assess and authorize Information Systems?

This RMF class certifies you in the CNSS 4011, 4012, 4013A, 4015, AND 4016A Certifications
1 Class - 5 NSA-CNSS Approved Certificates

Do you require a QNV or Fully Qualified Navy System Certifier and Validator Certificate?
Get RMF Risk System & Analyst Certified at SU - Get 4015 & 4106A Certified

SU RMF courses are certified by the Information Assurance Courseware Evaluation (IACE) Program - National IA Education and Training Program. SU RMF courseware meets the elements of the Committee on National Security Systems (CNSS) National Training Standards.

The IACE Program provides consistency in training and education for the information assurance skills that are critical to our nation. SINCE 2006 - SU courseware is 4011, 4012, 4013, 4015 and 4016E, I, "A" (Advanced) 4016A level.

Q/C&AThis 5-day Q/CA RMF session of Fully Qualified Navy Validator Training meets the objectives of the CNSS-4012 Senior System Manager (SSM), CNSS- 4013 Systems Administrator, CNSS-4015 System Certifier and 4016 Risk Analyst certificate course which is specifically designed to consolidate all SSM and System Certifier and Analyst knowledge requirements into a single, comprehensive curriculum. This course goes from foundational concepts of RMF to for managing cybersecurity risk. It examines the relationship between RMF and Systems Engineering, it describes the RMF, its artifacts, six steps and linkage with SE while explaining requirements for authoring and re-authoring of information systems.  Its non-technical professional training necessary to achieve the in-depth knowledge, skills, and abilities needed to enforce Information Assurance and Cybersecurity requirements, (RMF) risk management framework while appling Information System Security (INFOSEC) methodologies and facilitate authorization and accreditation (A&A) activities.

Students learn 4015 Certifier functional requirements to identify specific assurance levels achieved in meeting applicable security policies, standards and requirements to identify specific assurance levels and evaluate risk impact thresholds in meeting applicable security policies, standards and requirements to ensure RMF accrediting authorities have the information necessary to make an objective RMF accreditation determination based on an acceptable level of risk. Specific focus is directed on analyzing, evaluating, and assessing, information system security policies, processes and procedures necessary to perform the complete assessment of technical and non-technical security features and other safeguards of an system or network in an operational configuration, as well as identifying, implementing and integrating administrative actions for securing critical information infrastructures required to help protect the CIA (confidentiality, integrity and availability) of classified data, sensitive data and critical organizational computing resources.

This course is includes NSA certified (CNSS)-4016 A (Advanced) Risk Analyst objectives that measure the fundamental knowledge, skills and abilities needed to analyze, assess, control, determine, mitigate and manage risk within a federal management and acquisition framework or within federal interest computer systems that store, process, display or transmit classified or sensitive information (e.g. Personally Identifiable Information (PII), Electronically Protected Health Information (ePHI)/Individually Identifiable Health Information (IIHI) , etc).. which addresses specific knowledge factors and functional requirements established for Entry and Intermediate and ADVANCED Level Risk Analysts. Specific focus is directed on identifying, implementing and integrating management, acquisition and administrative risk methodologies for securing critical and sensitive information infrastructures and establishing standards necessary to help protect the confidentiality, maintain the integrity and ensure the availability of critical organizational computing resources.

Note: This class can be tailored to meet the CNSS 4012, 4015 and 4016 E,I, A certification needs of any organization.

Class Fee: $2,995*
Time: 7:45 am - 5pm
Location: Click here to view the class schedule
Learning Level: Understanding of TCP/IP Protocols
CPE Credits: 50 with practical 40CPE without practical
Prerequisites: Contractors and govt and military that work for government IS or won a contract award to service the military IS .
Method of Delivery - Residential On Ground
Method of Evaluation: 1. 95 % attendance 2. 100 % completion of Lab
Grading: Pass = 95% Attendance and 100% Completion of Labs and Practical
Fail => 95% Attendance and > 100% Completion of Labs and Practical

SU’sQ/CA RMF Qualified/ Certification and Accreditation Professional training and certification covers the exam objectives that measure of the knowledge, skills and abilities required for personnel involved in the process of authorizing and maintaining information systems. Specifically, this credential applies to those responsible for formalizing processes used to assess risk and establish security requirements and documentation. Their decisions will ensure that information systems possess security commensurate with the level of exposure to potential risk, as well as damage to assets or individuals. The class covers all of the latest SUT Q/CA RMF exam objectives provided the last day of class. The course is intended for students who have 6 months of experience using the Federal Risk Management Framework (RMF) or comparable experience gained from the ongoing management of information system authorizations, such as ISO 27001.

Q/CA RMF certification is appropriate for commercial markets, civilian and local governments, and the U.S. Federal government, including the State Department and the Department of Defense (DoD). Job functions such as authorization officials, system owners, information owners, information system security officers, certifiers, and senior system managers are great fits as FQNVs.

What You Will Learn

The Q/CA RMF examination tests the breadth and depth of a candidate’s knowledge by focusing on RMF 6 steps ise the Q/CA RMF exam and be prepareds taxonomy of information security topics:

Step 1: Categorize the IS

  • The ISSM/ISSO categorizes the IS based on the impact due to a loss of confidentiality (moderate/high), integrity (low/moderate/high), and availability (low/moderate/high) of the information or IS according to information provided by the IO.
  • Industry should perform a Risk/Threat Assessment for specific concerns for their Facility/Program.
  • Absent any other requirements Industry may use the DSS baseline of moderate/low/low.
  • The ISSM then documents the description, including the system/authorization boundary in the System Security Plan (SSP)
  • ISSM assign qualified personnel to RMF roles and document team member assignments in the Security Plan

This step will result in the following:

  • Artifact(s): Risk Assessment and start initial SSP describing the IS Risk(s)
  • See NIST SP 800-30 (Risk Assessment) for additional guidance.

Step 2: Select Security Controls

  • The ISSM (and ISSO, as appropriate) selects the security control baseline applicable to the IS based upon the results of the categorization and tailors the controls as needed by supplementing, modifying, or tailoring out controls to effectively manage risk for any unique system conditions.
  • The ISSM (and ISSO, as appropriate) develops a strategy for continuous monitoring of security control effectiveness.
  • The ISSM then documents the results of selecting the security controls in the SSP via the OBMS.
  • The assigned ISSP/SCA reviews the SSP to ensure it meets the necessary security requirements and effectively identifies potential risks to the IS. The ISSP/SCA also reviews the ISSM-recommended deltas from the standard baseline.
  • The ISSP/SCA then notifies the ISSM of concurrence with selected security controls. 

This step will result in the following:

  • Outcome: Agreed upon security control set.
  • Artifact(s): Continuous monitoring strategy and updated SSP with controls identified.

Step 3: Implement Security Controls

  • The ISSM and ISSO implement security controls for the IS and may conduct an initial assessment to facilitate early identification of weaknesses and deficiencies.
  • The ISSM then documents the security control implementation in the Security Controls Traceability Matrix (SCTM) portion of the SSP via the OBMS.

This step will result in the following:

  • Outcome: Implemented security requirements.
  • Artifact(s): Updated SSP with a functional description of security control implementation.

Step 4: Assess Security Controls - Part One

  • The ISSM, with the ISSO, develops a Security Assessment Plan (SAP) that addresses objectives for the assessment, methods for verifying security control compliance, the schedule for the initial control assessment, and actual assessment procedures. (Cleared Industry can leverage assessment procedures in the DAAPM).
  • The ISSM then conducts the initial assessment of the effectiveness of the security controls and documents the issues, findings, and recommendations in a Security Assessment Report (SAR).
  • The ISSM, after the initial assessment, conducts remediation actions based on the findings and recommendations in the Plan of Action and Milestones (POA&M), signs a Certification Statement, and submits the SSP (using the OBMS) to DSS.

Step 4: Assess Security Controls - Part Two

  • The ISSP/SCA receives the SSP, performs an SSP review, and conducts an on-site validation/assessment.
  • The ISSP/SCA informs the ISSM of any additional deficiencies or weaknesses discovered and identifies necessary remediation actions in a POA&M.
  • The ISSP/SCA schedules a revalidation visit if necessary and makes final updates to the SAR.

This step will result in the following:

  • Outcome: Tested, evaluated, and remediated security controls.
  • Artifact(s):  SAR, and final SSP.

Additional guidance for assessing controls:  NIST SP 800-53A
Step 5: Authorize the IS

  • The ISSP/SCA reviews and submits the security authorization package to the DAO.
  • The DAO assesses the security authorization package and issues an authorization decision for the IS—either Authorization to Operate (ATO) or Denied Authorization to Operate (DATO)—which includes any terms and conditions of operation as well as the authorization termination date (ATD).

This step will result in the following:

  • Outcome: Risk determination and acceptance decision by the DAO.
  • Artifact(s): Complete security authorization determination to include the POA&M.

Step 6: Monitor the IS

  • The ISSM determines the security impact of proposed or actual changes to the IS and its operating environment and informs the ISSP/SCA as necessary.
  • The ISSM assesses a selected subset of the security controls, based on the approved continuous monitoring strategy, and informs the ISSP/SCA of the results.
  • The ISSM updates SSP documentation and works to satisfy POA&M requirements,and provides regular status reports to their ISSP/SCA per the continuous monitoring strategy.
  • The ISSM conducts any necessary remediation actions based on findings discovered during continuous monitoring.
  • The ISSM ensures IS security documentation is updated and maintained and reviews the reported security status of the IS.
  • As necessary, the ISSM develops and implements an IS decommissioning strategy.

This step will result in the following:

  • Outcome: Continued evaluation and remediation of the authorized IS.
  • Artifact(s): Updated POA&M, updated SSP, and decommissioning strategy (as necessary).

    Transition Timeline
    Additional detailed training
    Introduction to RMF
    Continuous Monitoring
    Categorization of the System
    Selecting Security Controls
    Implementing Security Controls
    Assessing Security Controls
    Authorizing Systems
    Monitoring Security Controls

The Q/CA RMF Qualified/ Certification Authorization and Accreditation Professional credential measures of the knowledge, skills and abilities required for C&A / RMD & A&A personnel. In particular, this credential applies to professionals who need to setup the formal processes used to assess risk and establish security requirements based on regulatory standards. It’s a very important job which ensures that information systems have appropriate security controls to mitigate potential risk, as well as protecting against damage to assets or individuals. Civilians, state and local governments, as well as system integrators supporting these organizations seek after this credential.

SU Q/IAP® Qualified/ Information Assurance Professional Certificate of Mastery CoM (3 Q/IAP + Security+®, CASP®, ISMS® or CISSP®)

Q/AAP® Qualified Access, Authentication & PKI Professional Certification Class

Q/NSP® Qualified/ Network Security Policy Administrator & SOA Security Oriented Architect Certification Class

*Q/CA Qualified/ Certification & Accreditation Administrator Certification Class Certificate of Mastery CoM

DoD Information Technology Security Certification and Accreditation Process DITSCAP Certification Class

~SU Security+® CompTIA Certification Class

~SU CISSP® ISC2® Certified Information Security Systems Professional Class

SU CASP® - CompTIA Advance Security Professional Certification Class

ISSEP® ISC2® Information Security Systems Engineer Certification Class

SU CISA® Certified Information Security Auditor Certification Class

SU CISM® Certified Information Security Manager Certification Class

Certified ISO 27001 SU ISMS® Lead Auditor Certification Class

Certified ISO 27001 SU ISMS® Lead Implementation Certification Class

Basic computer literacy in TCP/IP.

*Class fees are subject to change

View Class Schedule