CS4680 Introduction to Risk Management Framework

This course provides an in-depth instruction on the Risk Management Framework (RMF) and the DoD/DoN security assessment process. It includes an introduction to the Risk Management Framework as applied to procurement and lifecycle management of DoD and federal government information systems, with a focus on the role of the Security Controls Assessor. Topics include the principal roles in the process, functional components, and the authorization package required of the Assess and Authorize (A&A) process. Also included is a discussion of the DoD/DoN A&A process specifications currently in use (RMF with tailoring guidance from the DoD and Committee for National Security Systems) and the continuing effort by the Joint Transformation Working Group aimed at producing federated guidance. In the laboratory portion of the course, students will do 2 or 3 case studies of information systems that have been evaluated under the current DoD criteria in preparation for authorization to carry sensitive information. The students will study each system from concept through final system assessment and authorization. They will look at and evaluate such things as the security policies, system and security architecture, design, implementation, deployment, management, evolution, assurances, etc. through available documentation and other evidence, to determine whether the systems will be secure enough to process or transmit information at the appropriate levels of assurance. The case studies will be based on information available about deployed systems and is therefore restricted to U.S. students only.


CS3670 or Consent of Instructor

Lecture Hours


Lab Hours