security control assessor training
Security Control Assessors (SCA) are the eyes and ears of the Authorizing Official. The SCA is the most difficult position to hold in the risk management framework as we are looked upon to have expert level knowledge and know how around any security control that we are assessing/validating. The SCA community is small and for the most part undertrained as most of us learn as we go. The purpose of this course is to one, pull as many of us together for iron sharpening iron sessions, learning from each other while being trained on how to be better assessors. Take a look at the sections below for a high level description of what the training sessions will look like.
security control assessing mastery roadmap
are you ready?
Instructor Intro
I am Ernest Smith and would consider myself an elder statesman in RMF and Security Control Assessing. I have a master's in cybersecurity; bachelor's in information security. I used to have a lot of certs but only choose to keep up CISSP and Project Management Professional (PMP) nowadays (I am very heavy into project management and process improvement). I have been active in the world of RMF for more than 12 years. I am still very active in the world of RMF as well working projects of all kinds for all sectors. I have assessed, on behalf of authorizing officials everything from small aircrafts all the way up to top secret worldwide networks as a lead assessor and member of assessment teams. I actively do ISSO/ISSM work as well. Last, I actively advise, at the agency level, AOs, SCAs, ISSOs, ISSMs, Project Managers, and any other position where RMF clarity and understanding is needed. I have a large network of other SCAs and RMF POCs that will help us all overall. To all of the other elder statesmen and experienced assessors out there, it is our job to put our arms around the up and comers to improve the SCA profession. Everyone please join and create an assessor community where we are all actively sharing and getting better.
Course Information
$1,299
4 Saturdays, 2 to 3 hours per session
Download the following publications that we will take active notes on:
Training Certificate of Completion, 12 hours of training
Course Outline
Proper assessor selection for security control assessments ensures the assessors selected for the assessment have the right skills and knowledge needed for the most successful assessment. We will learn about the different skillsets needed to be a successful assessor ranging from technical skills to the soft skills and all in between.
All assessments must have a documented "plan" of attack and execution that is aligned with the assessment plan guidance from NIST SP 800-53a, Rev 5. We will learn how to build assessment plans that will work with any government agency or private sector entity as the 800-53a methods are universally compliant with Public Law 107-347, NIST RMF, CMMC, Department of War, All Federal Agencies and a host of others. Learning this way will guarantee success in this area.
We will learn how to conduct the assessment based on our established assessment plan. We will learn very advanced security control assessor concepts around interviewing people, examining document based artifacts, and testing actual system behavior against expected system behavior (deeper than just scanning and looking for "green" compliant items). We will also learn about and expand on "cost effective" security control assessment solutions for our clients utilizing "depth" and "coverage" attributes. We will also dig deep into NIST compliant "assurance cases" as in how they are built, and how we will assess them. We will dive into "specialized assessments" in various areas including: Physical Security, Database, Healthcare/HIPAA SRA, CMMC, Smart Electric Grid, Artificial Intelligence Applications, and special requests from the class.
After the security control assessment is over, we must communicate the results of these assessments. We will ensure that we are able to properly document "risk levels" with each finding via NIST SP 800-30 risk assessment techniques. We will learn about the several formats from one agency to the next and the minimum things all assessment reports should have.
Once the assessment report has been delivered to the client, there will be controls that could not be resolved during the development of the system or that are discovered post-development. We will train on the follow-up (reassessment) of these controls to ensure that those controls are operating as intended and producing the desired results. Will train on all aspects of this area to include updates to the client's risk assessment in lieu of these remediation activities.
The Authorizing Official is responsible for the execution of the plan of action and milestone process. For that reason, we, as the AO's eyes and ears, must master the POA&M process, the ins, the outs, the do's and the don'ts. We will train on all aspects of the POA&M process to better ourselves as assessors and better serve our authorizing officials.
Register and Pay Here
Stay current with evolving NIST guidance, DISA updates, and DoD/IC policy changes. Our continuing education sessions keep your team sharp and your program compliant.
