Building and Implementing a Risk Management Framework Program

James Litchko, CISSP-ISSEP, CAP, MBCI, CMAS, Senior Security Expert, Litchko & Associates, Inc., has been working as an information technology (IT) security expert for over 30 years. He created and taught the first graduate computer security course as an adjunct professor at Johns Hopkins University for ten years and was a project manager and executive at National Security Agency (NSA) for five years. Career Surface Warfare Officer (SWO) and Cryptologist in the U.S. Navy, he served on naval ships, aircraft, and joint and combined commands supporting the African, Middle East, Pacific and European theaters. He was a member of the National Speakers Association (the other NSA) for five years. He has supervised and supported the securing of over 300 military, government and commercial IT systems. He has supported the securing of IT systems at DHS, NRC, VHA, NASA, DOE, EPA, GAO, USDA, USAF, DOJ, FEMA, and over 20 commercial companies using DIACAP, C&A and RMF processes. Currently, he is the senior security expert for Litchko & Associates and is a Certified (ISC)2 Instructor teaching the Certified Information System Security Professional (CISSP), Information System Security Engineering Professional (ISSEP), and Certification and Accreditation Professional (CAP) review courses, and DIACAP, DoD RMF and Continuous Monitoring courses for (ISC)2, Digital Government Institute, and Global Knowledge. He is a student of Ken Blanchard, Ph.D., the author of The One-Minute Manager®, Jim holds a Masters degree from Johns Hopkins University and has authored four books on security and management topics: DoD RMF Manual, FISMA Authorization Process Guide: A Review for the (ISC)2® CAP® Certification Exam, KNOW IT Security, KNOW Your Life, and co-authored (ISC)2's Official Information System Security Management Professional, Cyber Threat Levels Response Handbook, and Know Cyber Risk. His DoD RMF Manual and FISMA Authorization Process Guide are used by four training companies as their course material for teaching in the United States and Europe.

1. Security Authorization of Information Systems Introduction. 2. Information System Categorization. 3. Establishment of the Security Control Baseline. 4. Application of Security Controls. 5. Assessment of Security Controls. 6. Information System Authorization. 7. Security Controls Monitoring. 8. System Authorization Case Study. 9. The Future of Information System Authorization. Appendixes.