The purpose of this course is to provide people new to risk management with an overview of a methodology for managing organizational risk in accordance with NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. For individuals with experience with NIST SP 800-37, Revision 1, this course explains updates to the RMF in Revision 2, including the integration of privacy and supply chain risk management into this holistic process.
The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.
This course describes at a high-level the importance of establishing an organization-wide risk management program, the information security legislation related to organizational risk management, the steps in the RMF, and the NIST publications related to each step.
The Risk Management Framework for Systems and Organizations Introductory Course is developed by NIST and available free of charge.
Course Duration: THREE Hours
Launch RMF Introductory Course
(Will open in new browser window)
Q: Is this a self-guided or instructor-led course?
A: The Risk Management Framework for Systems and Organizations Introductory Course is a self-guided online course.
Q: Is there a fee to take this training?
A: No, the Risk Management Framework for Systems and Organizations Introductory Course is free to any interested party.
Q: Does the training include a certificate of completion?
A: Upon completion of the course, there is a certificate of completion.
Q: Does the course include closed captioning?
A: Yes. Please click the "Notes" tab in the upper right hand corner of the course for a transcript of each slide.
Q: How do I print the certificate of completion?
A: Use the browser's print option, generally found in the browser menu to print or capture a PDF of the certificate.
Q: How can I earn Continuing Education Credits (CEC) or Continuing Professional Education (CPE) credits?
A: NIST does not issue CEC or CPE credits. Individuals who complete the online course can capture the certificate and submit it to their respective certifying body/organization.
Q: Can I pause the course and resume it later?
A: You can leave the course at any time and resume it from where you left off if you enable cookies for this website in your browser.
Q: Can I skip ahead to expedite the course?
A: Clicking on the NEXT > button will not allow you to skip ahead without viewing the entire slide to continue. It has been reported that manually skipping to the end of the video may cause playback to freeze, requiring the course to be restarted.
Q: What should I do if I am encountering technical issues with the training (e.g., buffering issues)?
A: This could be caused by many different issues. We recommend checking your internet connection, enabling cookies (so you don't lose your place in the training), refreshing the page or restarting the internet browser, or trying the site again at a later time.
Q: How can I request a copy of the slides?
A: Please contact sec-cert@nist.gov for a copy of the slides in PowerPoint format. Please note the slides will not include the course completion certificate.
Software Disclaimer
NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the software.
NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.
You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.
The course is also available for organizations who wish to include it in their Learning Management Systems (LMS) in the following LMS standards: SCORM, AICC, xAPI, and cmi5. For more information, please contact sec-cert@nist.gov.
Security and Privacy: general security & privacy, privacy, risk management, security measurement, security programs & operations
Laws and Regulations: E-Government Act, Federal Information Security Modernization Act