search menu icon-carat-right cmu-wordmark

System Assessment and Authorization Process

This two-day course introduces the NIST Risk Management Framework (RMF) process for system assessment and authorization. The RMF is the cybersecurity framework mandated for Federal Government departments and agencies, including the U.S. Department of Defense (DoD). Like other NIST guidance, the RMF is also used by organizations outside of the federal government to ensure a comprehensive and effective system assessment and authorization process.

This course places the RMF process within a broader Cyber Risk Management and Resilience context and provides guidance on implementing a disciplined and effective RMF process. The course includes lectures and class exercises with opportunity for discussions and participant questions. After attending the course, participants will understand the fundamental concepts underpinning the Risk Management Framework, have a working knowledge of RMF process steps, and be able to improve the implementation of RMF in their organizations.


Leaders, managers, and technical staff members with oversight and/or management responsibility for information system:

  • development, integration, or acquisition,
  • security or privacy control implementation,
  • security or privacy assessment,
  • authorization,
  • monitoring,
  • operations.

Those wishing to gain implementation knowledge as well as high-level knowledge of RMF and NIST Security Controls will find value in attending as well.


This class will teach students about the Risk Management Framework and explore the six steps identified in NIST Special Publication 800-37 Rev 1, updates in Revision 2, as well as approaches to implement the NIST RMF. RMF aims to improve information security, strengthen the risk management processes, and encourage reciprocity among federal agencies.

Successful completion of this course will enable participants to

  • Describe how System Authorization fits into an organization's security strategy
  • Identify governance components that impact the System Authorization process
  • Explain how Privacy and Security drive control requirements
  • Explain the steps to authorize a system
  • Identify various roles and responsibilities associated with System Authorization
  • Begin planning for implementation of RMF in their organization


  • Risk Management and Resilience
  • Cybersecurity Frameworks and Standards
  • Privacy and Security
  • NIST Risk Management Framework (RMF)
    • Prepare
    • Categorization of the information system
    • Select Security Controls
    • Implement Controls
    • Assess Controls
    • Authorize the System
    • Monitor
  • RMF Roles and Responsibilities


Participants will receive a course notebook and a downloadable copy of course materials, including course slides, supplementary handouts, and exercises.


This course has no prerequisites.

Course Fees [USD]

  • U.S. Industry: $1,500.00
  • U.S. Govt/Academic: $1,200.00
  • International: $2,250.00


This two day course meets at the following times:

Days 1-2, 8:30 a.m. - 4:30 p.m. Eastern Time

This course may be offered by special arrangement at customer sites. For details, please email or telephone at +1 412-268-1817.

Course Questions?

Phone: 412-268-7388

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.