Training TR4 – Risk Management Framework: NIST SP 800-37

Marshall Abrams, The MITRE Corporation
Kelley Dempsey, National Institute of Standards and Technology

Wednesday, 15:30-17:00 & Thursday, 10:30-12:00

The National Institute of Standards and Technology (NIST), in collaboration with the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems (CNSS), published Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, (formerly the security certification and accreditation guideline) in February 2010. The revised publication transforms the traditional static, stovepiped certification and accreditation process into a process that supports near real-time risk management. This session describes how the process of certification and accreditation is integrated into the Risk Management Framework, and focuses on the continuous monitoring of security controls to determine the security state of organizational information systems and environments of operation.



About the Instructorx

Dr. Marshall D. Abrams is a Principal Scientist at the MITRE Corporation in McLean, Virginia. He holds two patents and has taught cyber security courses on six continents. He received the BSEE from Carnegie Institute of Technology and the MSEE and Ph.D. from the University of Pittsburgh. While at the National Bureau of Standards he received the Department of Commerce Silver Metal Award. Two awards were received from the Federal Aviation Administration for contributions to the Information Systems Security Program. He is a Senior Life Member of the IEEE and has been honored with the IEEE Computer Society Golden Core award. He is also a Senior Fellow of the Applied Computer Security Associates. Marshall has been involved with the NIST FISMA Implementation Project since its inception.

Kelley Dempsey began her career in IT in 1986 as an electronics technician repairing PCs and printers before moving on to system administration and network management in the early 90s. While with the Department of the Navy in 1999, she began focusing on information system security by training for and then conducting a large scale DITSCAP certification and accreditation from start to finish. In 2001, Kelley joined the NIST operational Information Security team, managing the NIST information system certification and accreditation program through September 2008. Kelley joined the NIST Computer Security Division FISMA team in October 2008 and has co-authored NIST SP 800-128 (Security-Focused Configuration Management) and NIST SP 800-137 (Information Security Continuous Monitoring) and was also a major contributor to NIST SPs 800-53 Rev 3, 800-37 Rev 1, 800-53A Rev 1, and 800-39. Kelley completed a B.S. degree in Management of Technical Operations from Embry-Riddle Aeronautical University, graduating cum laude in December 2003 and earned a CISSP certification in June 2004.