Potomac Forum The Forum of Choice for Government & Industry Training Since 1982

The Forum of Choice for Government & Industry Training Since 1982

NIST Risk Management Framework and New Gov Security Initiatives Training Workshop (formerly Certification and Accreditation Training Workshop)

How to Manage Risk through Authorization and Continuous Monitoring

Wednesday, September 19, 2012 - Thursday, September 20, 2012

Registration is now closed as of 2:00 pm. Onsite registration will be available at the Willard Intercontinental Hotel at 7:30am, September 19, 2012. Workshop Seats for On-Site Registration are Guaranteed. For questions, please call 703-683-1613.

Guest Speakers:


Dr. Ron Ross, NIST Fellow
FISMA Implementation Project Leader, NIST
Project Leader, Joint Task Force Transformation Initiatives Interagency Working Group
(Working Group that Developed the Unified Controls for DoD, Civilian and Intelligence Communities)


Timothy Ruland, CISM, CISSP,

CISO & Chief IT Security Office,
US. Census Bureau


Marian P. Cody

Senior Information Technology Portfolio Manager

Department of Housing and Urban Development


Wednesday, September 19, 2012 - Thursday, September 20, 2012

Meeting Location: 
Willard InterContinental Hotel

Willard Intercontinental Hotel
1401 Pennsylvania Avenue N.W.
Washington 20004
United States

Metro Center (Red, Orange, Blue Lines). Use the exit marked “12th & F Sts” to exit onto F St., then continue straight two blocks and cross 14th St.


Please join your government and industry colleagues for an educational event that will explore the Federal Information Security Act (FISMA), the NIST Risk Management Framework (RMF),  Security Assessment and Authorization (formerly Certification and Accreditation) and new Federal Security initiatives including FedRAMP for Cloud Computing.  Attendees will learn current best practices integrated into an Agency’s overall Security Program. Whether you are required to assess and authorize your systems under FISMA or DIACAP or manage, review, implement or observe IT Security,  the information you will learn can be immediately applied within your environment.

You will hear from government and industry leaders who are involved in the Security Assessment and Authorization process and who will share with you the lessons they have learned along the way. These interactive sessions will also review some of the emerging implications and considerations in the field of Enterprise Wide Information Security.


Hear directly from the National Institute for Standards and Technology about FISMA and the Security Assessment and Authorization (formally Certification and Accreditation process), the Risk Management Framework and where the government  are going to meet its IT Security needs. Pose your questions directly to those involved in writing the guidelines mandated by FISMA.

What You Will Learn: 

  • Risk Management Framework guidance, methodology and requirements
  • The NIST Special Publication 800-53 Revision 3 Controls - In Depth Discussion of that they mean to the Civilian, DoD, and Intel Communities and what to expect from Revision 4 due to be published in November 2012
  • Scope of verification and validation testing, evaluations, and analysis
  • How to develop a FISMA-compliant Security Plan
  • The essential roles and responsibilities for the Security Assessment and Authorization life-cycle
  • How to form teams to guide and perform Assessments and Authorizations
  • Risk management concepts
  • How Continuous Monitoring is transforming traditional FISMA practice
  • The impact that Cloud Computing and FedRAMP will have
  • The essentials of developing comprehensive security policies, standards, & procedures and other fundamentals of Enterprise Security
Who Should Attend: 

  • CIOs, CISOs, CTOs, Deputies, Associates and Staff 
  • Compliance and Enforcement Officers 
  • Security Managers and Staff
  • C&A Managers and Staff 
  • Executives, Managers, and Staff Responsible for FISMA Compliance 
  • CFO and Staff who are focusing on Certification and Accreditation Issues 
  • IGs and Auditors 
  • Program Managers Developing or Maintaining IT Systems
  • IT Professionals Interesting in Improving IT Security
  • Industry Partners who Support the Government
  • State Government Security managers who voluntarily adapt the NIST Guidelines and Standards for their States


Workshop Format

  • Presentations by professional C & A consultants
  • Panel discussions led by experienced government and industry experts 
  • A hands-on workshop about developing the security plan


Attendees Receive 16 (ISC)2 Continuing Professional Education Credits 


Day One

7:30 AM
Registration and Continental Breakfast
Welcome and Introduction
  • Introduction to invited speakers and course attendees
  • Overview of discussion topics and learning objectives


Art Chantker, President, Potomac Forum

Keynote Address: Overview of NIST Guidance on System Security and Risk Management

  • Current FISMA authorization practice and new directions
Dr. Ron Ross, NIST Fellow
FISMA Implementation Project Leader, NIST
Project Leader, Joint Task Force Transformation Initiatives Interagency Working Group
(Working Group that Developed the Unified Controls for DoD, Civilian and Intelligence Communities)
9:45 Refreshment Break
Introduction to the Risk Management Framework: How we got here.
  • History, goals and requirements of FISMA
  • Understanding the “FISMA Approach”
  • Identify FISMA guidance and additional resources
10:45 Refreshment Break

Risk Management Framework, Part 1 (SP 800-37 Rev 1)

  • How to Categorize and describe  a system
  • The Selection, management, and monitoring of security controls
  • Security control Implementation and documentation


Networking Luncheon

Determining System Boundaries: What is and isn’t your system

  • What, exactly, is a System?
  • Components, subsystems, applications, complexity and the vocabulary of system descriptions



System Security Categorization: Why it is important and how to determine it

  • Introduction to FIPS 199 and SP 800-60r1
  • Discovering and documenting Information Types
  • Tailoring provisional impact levels for your system


Refreshment Break

Security Controls Using the NIST SP 800-53 Rev 3 and their Application: With a preview of changes in Revision 4

  • Introduction to SP 800-53r3 and Security Controls
  • Making authorizations simpler through effective use of Common Controls
  • Exploring considerations for Tailoring and Scoping

Compensating, Supplementing and Overlaying Security Controls

Wrap-up and Consulting Period
Opportunity to discuss specific Risk Management challenges with the Instructors.
Day One Adjourns


Day Two

7:30 AM
Registration and Continental Breakfast

Risk Management Framework, Part 2 (SP 800-37 Rev 1)

  • Assessing the security of a system and ensuring independence

Supporting the Authorization decision by knowing what’s at stake


Validating and Testing Security Controls: NIST SP 800-53 Rev 1

  • Introduction to NIST SP 800-53A Rev 1
  • Developing a Security Assessment test plan
  • Understanding how a Security Control is assessed
Refreshment Break

Cloud Computing and FedRAMP

  • What is, and isn’t, a Cloud?
  • FedRAMP as a well designed FISMA authorization program
  • How external service providers and security authorizations are affected

Real Life Experiences with the Risk Management Framework

Federal Government Panel Discuss their Experience in Implementing the Risk Management Framework within their Government Organization


Timothy Ruland, CISM, CISSP,

CISO & Chief IT Security Office,
US. Census Bureau


Marian P. Cody

Senior Information Technology Portfolio Manager,

Department of Housing and Urban Development


12:15PM Networking Luncheon
SP 800-53A Exercise
  • The questionable joy of building a test plan
  • Making life easier with automated tools

Refreshment Break


Risk Management Framework, Part 3 (SP 800-37 Rev 1)

  • Continuous Monitoring, what that means in practice
  • How to manage ongoing security control assessments
  • Monitoring changes, remediating vulnerabilities, updating and reporting

Information Security Continuous Monitoring (ISCM): Near real-time risk management and why it is vital

  • Introduction to NIST SP 800-137
  • How Continuous Monitoring supports ongoing system authorizations
  • Creating an ISCM program, strategy through implementation


Wrap-up and Consulting Period – Opportunity to discuss specific C&A challenges with the Instructors.
Workshop Adjourns

(Agenda subject to change)


Registration Information: 



Government Employees: $1,295 (Federal, State or Local Government Issued ID) 
Special Reduced Rates in Support of Government Budget Reductions:  
Now $1,195


Team Rate for Government:  Send a government team to learn together.  Register two government employees from the same office at the same time and the third person registers at 50% of the standard government rate.    

Industry and Contractors: $1,395  (Including contractors on-site and in direct support of government agencies). 
Special Reduced Rates:  

Now  $1,295


Fees include presentation materials, presentations, continental breakfast, refreshment breaks and luncheon at the Willard InterContinental Hotel (Hotel of the Presidents).


This event is NOT for industry business developers or marketing personnel - only technical and management staff are welcome from industry

Keynote Speaker: 

Dr. Ron Ross


Leader, FISMA Implementation Team

National Institute of Standards and Technology (NIST)

Leader, Joint Transformation Initiatives Interagency Working Group
Author of SP800-53 Rev 4


Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). His current areas of specialization include information security and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure. His recent publications include Federal Information Processing Standards (FIPS) Publication 199 (security categorization standard), FIPS Publication 200 (security requirements standard), NIST Special Publication (SP) 800-53 (security controls guideline), NIST SP 800-53A (security assessment guideline), NIST SP 800-37 (security authorization guideline), NIST SP 800-39 (risk management guideline), and NIST SP 800-30 (risk assessment guideline). Dr. Ross is the principal architect of the Risk Management Framework and multi-tiered approach that provides a disciplined and structured methodology for integrating the suite of FISMA standards and guidelines into a comprehensive enterprise-wide information security program. Dr. Ross also leads the Joint Task Force Transformation Initiative, a partnership with NIST, the Department of Defense, the Intelligence Community, the Office of the Director National Intelligence, and the Committee on National Security Systems to develop a unified information security framework for the federal government.

In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. A graduate of the United States Military Academy at West Point, Dr. Ross served in a variety of leadership and technical positions during his over twenty-year career in the United States Army.

While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a three-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Department of Commerce Gold and Silver Medal Awards. Dr. Ross has been inducted into the Information Systems Security Association (ISSA) Hall of Fame and given its highest honor of ISSA Distinguished Fellow.

Dr. Ross has also received several private sector cyber security awards and recognition including the Vanguard Chairman’s Award, the Symantec Cyber 7 Award, InformationWeek’s Government CIO 50 Award, Best of GTRA Award, and the ISACA National Capital Area Conyers Award. During his military career, Dr. Ross served as a White House aide and as a senior technical advisor to the Department of the Army. Dr. Ross is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.

Guest Speakers: 

Tim Ruland


Chief IT Security Officer and CISO
US Census Bureau


Mr. Ruland began his career in the military where he served 13 years in the US Army.  He served in many assignments; including Thailand, Germany, Fort Ord, CA., and Ft. Meade, MD., as a Military Intelligence Analyst and Linguist (Vietnamese, Russian and Korean)  and Military Policeman.  Upon his honorable discharge from the Army he served as a Software Configuration Manager with a Defense contractor for four years.


Mr. Ruland began his career at the Census Bureau in 1991 when he was hired to establish a configuration management process for the 1992 Economic Census. After which he earned the position of Division Security Officer. After spending 18 months as the Division Security Officer, Configuration Manager and system administrator, Mr. Ruland moved to the ADP Security Branch. The ADP Security Branch was a small branch of seven people in the Administrative and Finance Division.  In 1998, Mr. Ruland was promoted to Branch Chief where his first action was to change the name of the organization to better reflect the more diverse role of the organization, the IT Security Branch. Mr. Ruland has been instrumental in the development of the Census Bureau IT Security Program and the office has grown to four staffs consisting of 27 employees and approximately 20 contractors in support of the enterprise IT Security Program. He has managed the Census Bureau IT Security Program through two Decennial Census operations in 2000 and 2010 and is engaged in security planning for the 2020 Decennial Census. He has begun to implement the Risk Management Framework at the Census Bureau and began by deciding to completely change the process of system security to one that embraces and fosters a risk based environment. He and his team have briefed Ron Ross on the process and at Ron’s suggestion have begun to present the Census Bureau framework methodology to other federal agencies.


The growth of the security staffs resulted in a reorganization establishing Mr. Ruland as the Chief Information Security Officer (CISO) reporting directly to the CIO and providing regular briefings and support to the Census senior executives as well as providing briefings to the Department of Commerce. He also successfully re-named the office to the Office of Information Security, again recognizing the changes in the scope of the mission. Mr. Ruland is a CISSP, CISM, CFCP and holds a Master’s Certificate in Project Management from George Washington University.  He has completed the Framework for FISMA Seminar Series hosted by the Potomac Forum and is a FISMA Fellow. He is currently pursuing certification as a Information System Security Engineering Professional (ISSEP) from ISC(2), and a professional certification as a Certified in Risk and Information Security Controls (CRISC) specialist through ISACA. Mr Ruland is working also working on a degree as a Paralegal. Mr. Ruland holds a Sociology Degree from the University of Maryland.

Marian P. Cody

Senior Information Technology Portfolio Manager

Department of Housing and Urban Development


Marian Cody serves as a Senior Information Technology Portfolio Manager in the Office of the Chief Information Officer (CIO) at the Department of Housing and Urban Development (HUD). Marian is working on a portfolio of high visibility information technology (IT) projects for HUD’s Deputy CIO for IT Operations. Her portfolio includes re-establishing a federally-manned security operations capability within HUD’s OCIO after more than 8 years of outsourcing this capability to HUD’s private sector IT Managed Services providers. Marian is also serving as Co-Chair on HUD’s project to modernize the Department’s Identity, Credential and Access Management program. Formerly, Marian served as the Chief Information Security Officer for both HUD and the US Environmental Protection Agency, implementing Enterprise-wide Security programs at both locations. She helped EPA earn and maintain high Congressional security scores as well as earning a Green on OMB’s E-Gov Scorecard. Marian was instrumental in automating EPA’s security program and applied the same skills at HUD. Marian has more than a decade’s experience working in the information security business from many different perspectives.


Prior to moving into information security, Marian served in a variety of functions during her federal career including serving as a special assistant to the EPA Administrator and Deputy Administrator, a team leader for EPA’s data management program, and a policy analyst in EPA’s grants office.


Daniel Philpott, CISSP, CAP

Daniel Philpott is a Federal Information Security Architect working with Federal agencies on FISMA compliance and Risk Management. He is author of the recently released FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security from Syngress.


Daniel is the founder of the FISMApedia.org wiki and FISMA Arts training projects. His pre-FISMA work at NIST involved the securing of external servers, incident response, development of security checklists, and creation of baseline system configurations.


With his technical focus, Daniel brings an operational security perspective to the theory and practice of FISMA compliance. His long experience in the IT security space provides his Federal clients with depth of knowledge and a diverse skill set encompassing compliance, practice and risk management.

Michael Smith, CISSP-ISSEP

Security Evangelist

Akamai Technologies


Michael Smith serves as Akamai’s Security Evangelist and the customer-facing ambassador from the Information Security Team. He is a cross-functional  liaison between security, sales, product management, compliance, engineering, professional services, and marketing.  He helps government and industry better understand complex IT security issues, government policy and regulations and implementation of NIST guidelines and standards.


Previously, Michael Smith was a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he lead engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia. His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team.


Michael has performed numerous tasks throughout the Certification and Accreditation (C&A) process for clients in the Federal Civilian and Department of Defense environments. He has designed and performed security testing and evaluation engagements against national level systems in both the Federal Civilian and Department of Defense environments.


Michael assisted with development of a DITSCAP methodology and Standard Operating Procedures for the Department of Defense's Tricare Management Activity (TMA) as well as performed many of the tasks associated with that methodology. Throughout the time Michael spent working with the TMA, he was responsible for development of documentation, performing security testing and evaluation, evaluating and conducting assessments of physical security, and the development and performance of risk assessments for remote sites throughout the continental United States.


While engaged with the Transportation Security Administration, Michael developed C&A documentation for numerous systems and sites throughout the Transportation Security Administration and helped to use C&A as the catalyst to build a security program.


Michael graduated from the prestigious Defense Language Institute in Monterey, CA with a Department of Defense advanced linguistic certification in Russian and spent several years on active duty in the US army as a translator and specialist in information security.


In 2004, Michael was activated as a member of the Virginia National Guard and deployed to Afghanistan, where he conducted numerous combat patrols as an infantry squad leader.

Kenya Jackmon CISSP, CAP

Information Security Specialist,

Jacob and Sundstrom Inc.


Kenya Jackmon is an Information Security Specialist with Jacob and Sundstrom, located in Baltimore Maryland. Her areas of expertise lie in HSPD-12 implementation, information assurance, security assessment, intrusion detection, systems administration, network design and administration, storage management, and on-site and remote services. Mrs. Jackmon has over 13 years of experience in information security supporting both the intelligence community and the civilian Agencies


Mrs. Jackmon has served in many roles in her career. She was instrumental in the implementation of the Intelligence Community Public Key Infrastructure. She also served as a solution architect to the department of the Treasury and led a number of initiatives relating to E-Authentication and HSPD-12. Kenya is well know within the Federal PKI and E-Authentication communities As an ISSO, Mrs. Jackmon was responsible for the security posture of a number of high profile systems within the Department of the Treasury. She is currently supporting the Social Security Administration in its HSPD-12 implementation and Certification and Accreditation activities.

Chris Burton, CISSP

Senior Director of Information Security,

Information Assurance Professionals (IAP)


Chris Burton is the Senior Director of Information Security with Information Assurance Professionals (IAP), specializing in information system risk management, policy, compliance and assurance. Mr. Burton has over 12 years experience in the management and operations of information systems and over 9 years of information security experience.


Mr. Burton has spent time as a security architect, auditor, engineer and analyst working specifically with NIST guidance, OMB directives and agency specific policies. Prior to his position with IAP he worked with Verizon Business, Network Security Technologies (NetSec), BAE Systems and Orbital Science Corporation. He was instrumental in the development of the Verizon Business Federal compliance group's processes and procedures. He has developed enterprise wide security solutions for multiple government customers. These include Intrusion Detection and Prevention systems, hard drive encryption solutions, and enterprise-wide Anti-Virus solutions. He constructed a process to automate the collection and reporting of Security Test and Evaluation data. Recently, he is in the process of designing and implementing an information security program for a government customer with an Internet facing system.


Mr. Burton's government customers include components of HUD, Justice, Labor, Commerce, Agriculture, Health and Human Services, and the Treasury Department.

His personal thoughts on compliance, risk management and information security as a whole can be found athttp://HowisThatAssuranceEvidence.blogspot.com . Chris is an contributor to the Open Web Application Security Project (OWASP) and an active member of the Information Systems Audit and Control Association (ISACA).

Cancellation Policy: 

Confirmed registrations who cancel within 3 business days of the program will be subject to a $250 cancellation fee. Registrations cancelled after the program starts are subject to the full registration fee. Substitutions can be made at any time. In the event a particular training workshop is cancelled, the liability of Potomac Forum, Ltd is limited to refund of any prepaid registration fee.

  • © 2017-2018 Potomac Forum Ltd. All Rights Reserved
    Copyright also covers all workshop agendas and descriptions
  • 2800 Eisenhower Avenue, Suite 210, Alexandria, Virginia 22314