Cybersecurity Risk Management Framework workshop introduces the NIST RMF and explains how to implement the three parts of the framework including: the Framework core, Framework Profile, and Framework Implementation Tiers. The workshop explains the cyber tools and techniques that will aid participants in the implementation of cyber risk management frameworks, principles, practices and tools listed in the RMF, NIST 800-37. The Electric Subsector Cybersecurity Capability Maturity Model (ES-C2M2) will also be introduced to assist in determining cyber domain baselines and benchmarks. See figure below.
Participants will be given opportunities to apply the risk tools and techniques learned to actual cyber risk examples. The goal for participants is to be able to minimize cyber risks and maximize opportunities using the NIST RMF and cyber tools listed in the RMF.
Upon completion, participants will be able to lead and/or actively participate in cybersecurity project teams and evaluate cyber risks, threats, and vulnerabilities in operational and supply chain projects. Participants will be able to establish or improve upon an existing cybersecurity program. Participants will learn and apply cyber risk management frameworks, processes, techniques, and tools. Participants will learn how to develop cyber risk registers, cyber heat maps, cyber risk control templates, cyber risk strategies based on the NIST RMF.
- Define key cyber security concepts based on NIST RMF, NIST 800-37, NIST 800-53, etc.
- Implement the NIST RMF Core to identify, protect, detect, respond and recover.
- Identify business requirements, cyber risk tolerance, and resources by conducting cyber gap analysis and target opportunities for improvement using NIST RMF Implementation Tiers, DOE ES-C2M2 Tool Kit, and NIST 800’s.
- Develop privacy controls and civil liberty compliance practices using RMF and NIST 800-53.
- Demonstrate how to implement RMF core from Functions, Categories, and Subcategories, to Informative References (NIST 800’s) establishing suitable cyber risk-controls.
- Use (treatment) strategies to mitigate cyber risks, control risks and maximize opportunities.
- Introduction to Risk Drivers, such as CIP, Executive Order 13603, OMB, DOD, DHS, etc.
- Risk Frameworks, such as ISO 31K, COSO, COBIT, NIST RMF.
- Risk Framework cycles: NIST RMF, ISO PDCA, etc.
- Process Risk Management using the Department of Energy cybersecurity CMM.
- How To Use the NIST Framework Core – Core Functions, Categories, Subcategories, Informative References.
- Cyber security example and CIP case study.
- Review of RMF Tools such as DOE CMM, NIST RMF, COBIT 5, ISO 27001 ISA 62443, NIST 800-37/53, CCS, etc.
- SEI Capability Maturity Model & RMF Implementation Tiers Application.
- Develop and Use the RMF profiles.
- Definition and Selection of Suitable Implementation Risk Strategies, Mitigations, & Controls at Executive Level, Business/Process Level, & Operations Level.