1
1

00:00:00,090  -->  00:00:00,923
<v ->Welcome to this course</v>
2

2

00:00:00,923  -->  00:00:04,980
on the NST Risk Management Framework, known as the RMF
3

3

00:00:04,980  -->  00:00:06,630
In this course, you're going to learn all
4

4

00:00:06,630  -->  00:00:08,610
about the NST Risk Management Framework
5

5

00:00:08,610  -->  00:00:11,490
and how it's used to help integrate security, privacy
6

6

00:00:11,490  -->  00:00:14,070
and cyber supply chain risk management activities
7

7

00:00:14,070  -->  00:00:16,470
into the system development life cycle.
8

8

00:00:16,470  -->  00:00:18,690
The Risk Management Framework was created by the
9

9

00:00:18,690  -->  00:00:21,060
National Institute of Standards and Technology
10

10

00:00:21,060  -->  00:00:22,050
known as NIST
11

11

00:00:22,050  -->  00:00:24,180
to help provide a risk based approach to
12

12

00:00:24,180  -->  00:00:27,030
control selection and help manage organizational risk
13

13

00:00:27,030  -->  00:00:29,760
for large organizations across the globe.
14

14

00:00:29,760  -->  00:00:32,100
RMF, unlike some other frameworks,
15

15

00:00:32,100  -->  00:00:34,140
was designed to be applied to both newer systems
16

16

00:00:34,140  -->  00:00:35,070
being fielded,
17

17

00:00:35,070  -->  00:00:36,870
as well as older legacy systems
18

18

00:00:36,870  -->  00:00:40,320
that still remain in use today across our organizations.
19

19

00:00:40,320  -->  00:00:42,240
The Risk Management Framework can be applied
20

20

00:00:42,240  -->  00:00:44,580
to any type of system or technology as well
21

21

00:00:44,580  -->  00:00:47,430
whether it's an end users workstation, a web server
22

22

00:00:47,430  -->  00:00:50,430
a database cluster, a cloud-based server environment,
23

23

00:00:50,430  -->  00:00:53,160
a supervisory control and data acquisition system,
24

24

00:00:53,160  -->  00:00:54,570
an internet of things device,
25

25

00:00:54,570  -->  00:00:58,380
or really any other type of computing device or system.
26

26

00:00:58,380  -->  00:01:02,100
<v ->RMF is also designed to be flexible and scalable</v>
27

27

00:01:02,100  -->  00:01:06,360
so you can use it with organizations both large and small.
28

28

00:01:06,360  -->  00:01:10,230
Personally, I've used RMF in some small organizations
29

29

00:01:10,230  -->  00:01:12,510
with only a few dozen employees
30

30

00:01:12,510  -->  00:01:14,940
as well as inside of others
31

31

00:01:14,940  -->  00:01:17,880
that had tens of thousands of employees
32

32

00:01:17,880  -->  00:01:21,150
and it can be scaled upward and downward as needed
33

33

00:01:21,150  -->  00:01:24,570
to provide the proper governance and risk management,
34

34

00:01:24,570  -->  00:01:26,220
regardless of your organization's
35

35

00:01:26,220  -->  00:01:30,150
size, scope, industry or sector.
36

36

00:01:30,150  -->  00:01:32,490
Now, to help you get the most out of the framework
37

37

00:01:32,490  -->  00:01:35,280
we're going to move through not just the theory
38

38

00:01:35,280  -->  00:01:37,650
of how each of the seven steps
39

39

00:01:37,650  -->  00:01:41,070
in the Risk Management Framework might be used
40

40

00:01:41,070  -->  00:01:43,110
according to a textbook definition,
41

41

00:01:43,110  -->  00:01:46,560
but we'll also dive into how each step is applied
42

42

00:01:46,560  -->  00:01:48,060
in the real world
43

43

00:01:48,060  -->  00:01:50,790
to make sure that you walk away from this course
44

44

00:01:50,790  -->  00:01:52,500
with a good understanding of how
45

45

00:01:52,500  -->  00:01:55,680
you can implement the Risk Management Framework inside
46

46

00:01:55,680  -->  00:01:57,663
of your own organization.
47

47

00:01:58,530  -->  00:01:59,730
<v ->First, we're going to begin</v>
48

48

00:01:59,730  -->  00:02:01,800
by introducing the Risk Management Framework
49

49

00:02:01,800  -->  00:02:03,690
by providing an overview of RMF
50

50

00:02:03,690  -->  00:02:05,940
and briefly looking at each of its seven steps
51

51

00:02:05,940  -->  00:02:07,620
so that you can get a high level overview
52

52

00:02:07,620  -->  00:02:10,980
of what RMF is and how it's going to be used.
53

53

00:02:10,980  -->  00:02:13,260
Then we're going to move into some important details
54

54

00:02:13,260  -->  00:02:15,570
concerning information security and privacy,
55

55

00:02:15,570  -->  00:02:18,480
and how those are integrated together into RMF.
56

56

00:02:18,480  -->  00:02:20,940
Also, we'll talk about authorization boundaries
57

57

00:02:20,940  -->  00:02:23,730
for a given system and how they're going to be created.
58

58

00:02:23,730  -->  00:02:25,770
We're also going to be discussing how supply chain
59

59

00:02:25,770  -->  00:02:27,630
risk management is implemented inside
60

60

00:02:27,630  -->  00:02:29,300
of the Risk Management Framework
61

61

00:02:29,300  -->  00:02:31,680
so you can better understand that process as well.
62

62

00:02:31,680  -->  00:02:33,120
Then we're going to be taking a look
63

63

00:02:33,120  -->  00:02:34,920
at how flexible RMF can be
64

64

00:02:34,920  -->  00:02:35,753
and we're going to discuss
65

65

00:02:35,753  -->  00:02:37,380
the different requirements and controls
66

66

00:02:37,380  -->  00:02:39,600
and the difference between these two concepts
67

67

00:02:39,600  -->  00:02:42,540
because most people get these two vital areas confused
68

68

00:02:42,540  -->  00:02:44,010
when they're trying to select and implement
69

69

00:02:44,010  -->  00:02:47,070
various controls for their IT systems.
70

70

00:02:47,070  -->  00:02:50,190
<v ->Next, we're going to look at each of the seven steps</v>
71

71

00:02:50,190  -->  00:02:53,160
of the Risk Management Framework in more depth
72

72

00:02:53,160  -->  00:02:56,070
including how to prepare your organization
73

73

00:02:56,070  -->  00:03:00,000
and your system for the RMF process
74

74

00:03:00,000  -->  00:03:01,680
how to categorize your system,
75

75

00:03:01,680  -->  00:03:03,450
how to select your controls,
76

76

00:03:03,450  -->  00:03:06,120
how to implement those selected controls,
77

77

00:03:06,120  -->  00:03:08,880
how to assess those same controls,
78

78

00:03:08,880  -->  00:03:11,970
how to gain authorization to operate your system
79

79

00:03:11,970  -->  00:03:14,970
and how to monitor the system over time
80

80

00:03:14,970  -->  00:03:18,720
to ensure it's operating as expected.
81

81

00:03:18,720  -->  00:03:20,160
As we dive into each step,
82

82

00:03:20,160  -->  00:03:23,070
we'll cover not just the theory or details
83

83

00:03:23,070  -->  00:03:26,020
from the Risk Management Framework documentation
84

84

00:03:27,110  -->  00:03:30,750
but we'll also share our decades of experience with you
85

85

00:03:30,750  -->  00:03:33,060
by pointing out the common pitfalls,
86

86

00:03:33,060  -->  00:03:36,900
landmines and errors that people commonly make
87

87

00:03:36,900  -->  00:03:40,530
when implementing RMF in the real world.
88

88

00:03:40,530  -->  00:03:43,200
After that, we'll cover some other topics
89

89

00:03:43,200  -->  00:03:46,570
that are important to understand when implementing RMF
90

90

00:03:47,664  -->  00:03:49,560
including how you can automate RMF
91

91

00:03:49,560  -->  00:03:54,330
an Introduction to eMASS, which is an acronym, and it stands
92

92

00:03:54,330  -->  00:03:58,420
for the Enterprise Mission Assurance Support Service
93

93

00:03:59,960  -->  00:04:03,060
which is software that's used to collect data for RMF
94

94

00:04:03,060  -->  00:04:05,820
and helps you navigate the entire process
95

95

00:04:05,820  -->  00:04:07,260
and we're going to tell you
96

96

00:04:07,260  -->  00:04:10,530
how you can combine the Risk Management Framework
97

97

00:04:10,530  -->  00:04:13,380
with the NIST Cybersecurity framework
98

98

00:04:13,380  -->  00:04:15,363
which will call CSF,
99

99

00:04:16,534  -->  00:04:18,540
to gain additional efficiencies.
100

100

00:04:18,540  -->  00:04:21,480
We'll also teach you how you can use both of them
101

101

00:04:21,480  -->  00:04:24,903
to increase the overall security of your systems.
102

102

00:04:25,890  -->  00:04:27,510
<v ->So whether you're taking this course</v>
103

103

00:04:27,510  -->  00:04:30,090
to simply learn about the NIST Risk Management Framework
104

104

00:04:30,090  -->  00:04:31,410
or you're taking this course
105

105

00:04:31,410  -->  00:04:33,030
to learn how to implement the framework
106

106

00:04:33,030  -->  00:04:34,770
inside of your organization,
107

107

00:04:34,770  -->  00:04:36,660
this course has been designed specifically
108

108

00:04:36,660  -->  00:04:39,330
to teach you the entire NIST Risk Management Framework
109

109

00:04:39,330  -->  00:04:41,610
and how to apply it in the real world.
110

110

00:04:41,610  -->  00:04:43,530
Before we dive into the course materials
111

111

00:04:43,530  -->  00:04:45,360
let me provide you with a quick introduction
112

112

00:04:45,360  -->  00:04:47,400
to the NIST Risk Management Framework.
113

113

00:04:47,400  -->  00:04:49,980
After all, if your boss enrolled you in this course
114

114

00:04:49,980  -->  00:04:50,970
you may not even know what
115

115

00:04:50,970  -->  00:04:52,980
the NIST Risk Management Framework is
116

116

00:04:52,980  -->  00:04:55,020
and what it's going to be used for.
117

117

00:04:55,020  -->  00:04:58,230
<v ->The NIST Risk Management Framework helps organizations</v>
118

118

00:04:58,230  -->  00:05:00,870
implement a tried and true process
119

119

00:05:00,870  -->  00:05:05,130
for the preparation, categorization, selection
120

120

00:05:05,130  -->  00:05:10,080
implementation, assessment, authorization, and monitoring
121

121

00:05:10,080  -->  00:05:14,610
of a given system and its associated security controls.
122

122

00:05:14,610  -->  00:05:18,963
But I guess that begs the question, what is a framework?
123

123

00:05:20,125  -->  00:05:20,958
Well, a framework
124

124

00:05:20,958  -->  00:05:23,280
in the cybersecurity discipline
125

125

00:05:23,280  -->  00:05:26,160
is a collection of best practices or guidelines
126

126

00:05:26,160  -->  00:05:28,140
that an organization should follow
127

127

00:05:28,140  -->  00:05:31,620
to manage its cybersecurity risk posture.
128

128

00:05:31,620  -->  00:05:34,050
Most cybersecurity frameworks have the goal
129

129

00:05:34,050  -->  00:05:38,010
of reducing the organization's exposure to cyber attacks
130

130

00:05:38,010  -->  00:05:40,500
by identifying the areas that are most
131

131

00:05:40,500  -->  00:05:43,713
at risk of being exploited by a threat actor.
132

132

00:05:44,640  -->  00:05:46,380
<v ->The NIST Risk Management Framework is just</v>
133

133

00:05:46,380  -->  00:05:48,450
one cybersecurity framework available,
134

134

00:05:48,450  -->  00:05:52,050
but it is by far one of the most popular and widely used.
135

135

00:05:52,050  -->  00:05:53,850
Other competing frameworks include the
136

136

00:05:53,850  -->  00:05:56,700
NIST Cybersecurity framework known as CSF,
137

137

00:05:56,700  -->  00:05:58,400
the Center for Internet Securities
138

138

00:05:59,344  -->  00:06:00,177
Critical Security Controls
139

139

00:06:00,177  -->  00:06:01,010
known as CIS
140

140

00:06:01,010  -->  00:06:03,240
and the International Standards Organization's frameworks
141

141

00:06:03,240  -->  00:06:07,973
included inside the ISO/IEC 27001 and 27002.
142

142

00:06:09,210  -->  00:06:10,360
For this course, though
143

143

00:06:11,662  -->  00:06:12,495
we're going to be focused almost exclusively
144

144

00:06:12,495  -->  00:06:13,426
on the NIST Risk Management Framework
145

145

00:06:13,426  -->  00:06:16,950
in some of our discussions and planned implementations
146

146

00:06:16,950  -->  00:06:19,320
but we're also going to spend a little bit of time
147

147

00:06:19,320  -->  00:06:22,020
covering how you can integrate the Risk Management Framework
148

148

00:06:22,020  -->  00:06:24,720
with the NIST Cybersecurity framework as well
149

149

00:06:24,720  -->  00:06:27,120
because they do work very well together.
150

150

00:06:27,120  -->  00:06:28,290
Now, hopefully you're excited
151

151

00:06:28,290  -->  00:06:29,160
to begin learning all
152

152

00:06:29,160  -->  00:06:31,080
about the NST Risk Management Framework,
153

153

00:06:31,080  -->  00:06:33,630
but before we do we need to take a small detour
154

154

00:06:33,630  -->  00:06:36,330
in this course to introduce you to your two instructors
155

155

00:06:36,330  -->  00:06:37,920
and give you four important tips
156

156

00:06:37,920  -->  00:06:40,500
to help you learn best during our time together.
157

157

00:06:40,500  -->  00:06:42,210
My name is Jason Dion
158

158

00:06:42,210  -->  00:06:44,970
and I am the lead instructor at Dion Training Solutions.
159

159

00:06:44,970  -->  00:06:47,130
I've been working in the IT and cybersecurity field
160

160

00:06:47,130  -->  00:06:50,700
for over two decades for organizations both large and small.
161

161

00:06:50,700  -->  00:06:51,900
In all these organizations
162

162

00:06:51,900  -->  00:06:53,430
though we were focused on trying to
163

163

00:06:53,430  -->  00:06:56,580
identify, mitigate and manage cybersecurity risks
164

164

00:06:56,580  -->  00:06:58,440
to keep threat actors at bay.
165

165

00:06:58,440  -->  00:07:00,300
When I talk about small organizations
166

166

00:07:00,300  -->  00:07:02,430
I'm talking about organizations like my own company
167

167

00:07:02,430  -->  00:07:04,320
which has about 20 people
168

168

00:07:04,320  -->  00:07:06,990
but I also have worked for large organizations too
169

169

00:07:06,990  -->  00:07:08,520
and one of my last positions was
170

170

00:07:08,520  -->  00:07:10,980
for an organization that spans six continents,
171

171

00:07:10,980  -->  00:07:13,800
dozens of countries and millions of end users.
172

172

00:07:13,800  -->  00:07:16,020
<v ->My name is Kip Boyle and I'm the founder</v>
173

173

00:07:16,020  -->  00:07:17,730
of Cyber Risk Opportunities,
174

174

00:07:17,730  -->  00:07:21,360
where I serve as a chief information security officer
175

175

00:07:21,360  -->  00:07:24,810
for many organizations across the United States
176

176

00:07:24,810  -->  00:07:27,060
including a professional sports team,
177

177

00:07:27,060  -->  00:07:30,600
some fast growing financial technology companies,
178

178

00:07:30,600  -->  00:07:32,040
and a lot more.
179

179

00:07:32,040  -->  00:07:33,960
Before that, I was a full-time CISO
180

180

00:07:33,960  -->  00:07:35,820
for an insurance company,
181

181

00:07:35,820  -->  00:07:38,310
and before that I helped design mitigations
182

182

00:07:38,310  -->  00:07:41,430
for several Global 100 organizations
183

183

00:07:41,430  -->  00:07:44,370
when I worked at Stanford Research.
184

184

00:07:44,370  -->  00:07:46,650
My career in cybersecurity all started
185

185

00:07:46,650  -->  00:07:48,960
when I was on active duty in the US Air Force,
186

186

00:07:48,960  -->  00:07:51,060
where I led data protection programs
187

187

00:07:51,060  -->  00:07:53,340
for several major weapons systems
188

188

00:07:53,340  -->  00:07:55,890
like the F22 Stealth Fighter.
189

189

00:07:55,890  -->  00:07:58,680
So as you can see, we aren't just instructors
190

190

00:07:58,680  -->  00:08:01,890
we're practitioners in the cybersecurity industry
191

191

00:08:01,890  -->  00:08:04,530
with lots of experience to share with you.
192

192

00:08:04,530  -->  00:08:08,970
So I want you to rest assured you're in good hands with us.
193

193

00:08:08,970  -->  00:08:11,670
<v ->Now for our four tips to success in this course.</v>
194

194

00:08:11,670  -->  00:08:13,740
First, for every video in this course
195

195

00:08:13,740  -->  00:08:16,230
you have the ability to turn on closed captions.
196

196

00:08:16,230  -->  00:08:18,840
Each video is captioned by a real human for accuracy
197

197

00:08:18,840  -->  00:08:19,800
and this will allow you to read
198

198

00:08:19,800  -->  00:08:21,900
along with the course if you need to.
199

199

00:08:21,900  -->  00:08:23,400
Many of my students who speak English
200

200

00:08:23,400  -->  00:08:24,570
as their second language
201

201

00:08:24,570  -->  00:08:26,250
really love having those captions playing
202

202

00:08:26,250  -->  00:08:28,950
along the bottom of the videos to aid in their learning.
203

203

00:08:28,950  -->  00:08:30,750
If you want to enable the close captions,
204

204

00:08:30,750  -->  00:08:32,190
simply click on the CC button
205

205

00:08:32,190  -->  00:08:34,230
in the bottom of your video player.
206

206

00:08:34,230  -->  00:08:37,050
<v ->The second tip is about playback speed.</v>
207

207

00:08:37,050  -->  00:08:40,290
Some of our students say Jason speaks too fast
208

208

00:08:40,290  -->  00:08:43,470
and others have said, I speak way too slowly.
209

209

00:08:43,470  -->  00:08:46,770
Either way, you can control the speed of instruction
210

210

00:08:46,770  -->  00:08:48,990
by clicking on the 1X button
211

211

00:08:48,990  -->  00:08:51,060
in the bottom of the video player.
212

212

00:08:51,060  -->  00:08:53,370
Now, if you want me to teach faster
213

213

00:08:53,370  -->  00:08:57,780
go ahead and choose 1.25X or even 1.5X
214

214

00:08:57,780  -->  00:09:00,450
and if you'd like Jason to teach slower then
215

215

00:09:00,450  -->  00:09:04,753
just click on the 0.75X or 0.5X.
216

216

00:09:05,880  -->  00:09:08,703
Faster or slower, the choice is yours.
217

217

00:09:09,690  -->  00:09:11,340
<v ->The third tip is that this course comes</v>
218

218

00:09:11,340  -->  00:09:13,650
with a downloadable study guide as a PDF
219

219

00:09:13,650  -->  00:09:15,090
in lesson two of the course,
220

220

00:09:15,090  -->  00:09:16,320
as well as a complete copy
221

221

00:09:16,320  -->  00:09:18,030
of the NIST Risk Measurement Framework
222

222

00:09:18,030  -->  00:09:20,250
as a PDF in lesson two.
223

223

00:09:20,250  -->  00:09:22,140
I recommend that you download our study guide
224

224

00:09:22,140  -->  00:09:22,973
and print it out
225

225

00:09:22,973  -->  00:09:24,870
because it makes a great offline resource
226

226

00:09:24,870  -->  00:09:27,540
as you begin working with the NIST Risk Management Framework
227

227

00:09:27,540  -->  00:09:29,943
on a daily basis inside your organization.
228

228

00:09:31,733  -->  00:09:32,566
<v ->The fourth tip is</v>
229

229

00:09:32,566  -->  00:09:35,460
that this course is just the beginning of your adventure
230

230

00:09:35,460  -->  00:09:38,910
into the world of cybersecurity and risk management.
231

231

00:09:38,910  -->  00:09:40,140
If you'd like to learn more
232

232

00:09:40,140  -->  00:09:43,860
you can always visit yourcyber path.com
233

233

00:09:43,860  -->  00:09:46,731
where we share our experience
234

234

00:09:46,731  -->  00:09:50,670
through our free podcast and our paid membership programs.
235

235

00:09:50,670  -->  00:09:52,440
If you have any questions for us,
236

236

00:09:52,440  -->  00:09:55,013
you can always send us a video message at
237

237

00:09:55,013  -->  00:09:58,950
yourcyberpath.com/ask
238

238

00:09:58,950  -->  00:10:02,733
or you can post it in the Q and A of this course.
239

239

00:10:04,879  -->  00:10:07,140
Now, with all the introductions behind us,
240

240

00:10:07,140  -->  00:10:08,880
let's get started with learning
241

241

00:10:08,880  -->  00:10:12,363
all about the NIST Risk Management Framework.