NIST Risk Management Framework RMF

Q: Are these courses self-guided or instructor-led?

A: The courses provided are self-guided online courses.

Q: Is there a fee to access these courses?

A: No. The NIST materials provided on the CSRC website, including the RMF and SP 800-53 series introductory courses, are free to any interested party.

Q: Is registration required?

A: No. Registration is not required to access the courses.

Q: Do the courses include closed captioning?

A: Please click the “Notes” icon in the upper right-hand corner of the course player for a transcript of the slide narration.

Q: Do the course materials support the use of assistive technologies?

A: The course presentations have been designed and developed to meet our responsibilities under Section 508 of the Rehabilitation Act. The presentation player provides a screen-reading option in the upper-left corner of the web site that works with assistive technologies. The screen-reading option may not be available on some tablet or smart phone devices.

Q: What do these courses cover?

A: These courses provide a high-level overview of important security and privacy risk management concepts based directly on the material in the NIST special publications.

• The RMF introductory course gives an overview of a methodology for managing organizational risk in accordance with NIST Special Publication (SP) 800-37, Revision 2.

• The SP 800-53 introductory course explains the concepts of security and privacy controls and introduces the SP 800-53 control catalog.

• The SP 800-53A introductory course explores a methodology and set of procedures for assessing and monitoring the effectiveness of SP 800-53 controls selected and implemented.

• The SP 800-53B introductory course provides guidance for selecting controls from the SP 800-53 control catalog using security and privacy control baselines. This includes tailoring the selection of controls to best support the management of organizational and system risks.

For additional details about the content of each course, please see the full course description.

Q: Do I need to have any prior knowledge about cybersecurity concepts to understand the material in these courses?

A: Topics in the courses are addressed at a high-level, with references to supporting material. Individuals new to cybersecurity can benefit from reviewing NIST SP 800-12, An Introduction to Information Security, which explains basic cybersecurity concepts that can provide additional context to the material and examples presented in the course.

Additionally, the NIST Small Business Cybersecurity Corner provides a Cybersecurity Fundamentals presentation which illustrates basic cybersecurity and risk management concepts.

Q: Which course should I complete first?

A: There is no defined order for completing the courses. It may be helpful to understand the central concepts of the NIST Risk Management Framework (RMF) before starting the NIST SP 800-53 series courses, but it is not required.

Q: Do I need any specific hardware or software to access the courses?

A: The course presentations can be accessed using a web browser on a wide range of devices, including desktops, laptops, tablets, and smart phones.

Q: What web browser is best for viewing the course material?

A: To view the course content, please use an up-to-date version of Microsoft Edge, Mozilla Firefox, Google Chrome, or Safari browsers. For mobile device users, iOS 14 or Android 7 is recommended.

Q: Can I pause the course and resume it later?

A: You can leave the course at any time and resume it from where you left off by enabling cookies for this website in your browser. If you are using the browser in private or incognito mode, cookies are deleted after the browser is closed and the course cannot be resumed.

Q: Can I skip ahead to expedite the course?

A: Clicking on the “NEXT >” button will not allow you to advance to the next slide without viewing the entire current slide. It has been reported that manually skipping to the end of the current slide, using the slide timer, may cause the playback to freeze and require the course to be restarted.

Q: What should I do if I am encountering technical issues playing back the courses (e.g., buffering issues)?

A: This could be caused by many different issues. We recommend checking your internet connection, enabling cookies (so progress information can be temporarily saved), refreshing the page or restarting the internet browser, or trying the site again later.

Q: Is there a quiz at the end of each course?

A: No, there are no quizzes at the end of each course. The material in each course is provided for informational purposes only.

Q: Are certificates issued upon completion of the courses?

A: At the end of each course presented on this NIST website, a certificate of course completion is provided as a courtesy. The certificate only identifies that the course material was viewed and does not attest to any qualifications, knowledge, or skill level resulting from the completion of the course.

Q: How do I print the certificate of completion?

A: Use the browser's print option, generally found in the browser menu, to print or capture a PDF of the course certificate. Please add your name and the date of completion to the certificate.

Q: How can I earn Continuing Education Credits (CEC) or Continuing Professional Education (CPE) credits?

A: NIST does not issue CEC or CPE credits. Individuals who complete the online courses can capture the certificate, add their name and the date of course completion to the certificate.

Q: How can I get a copy of the course materials to share within my organization?

A: Contact the NIST Risk Management Framework (RMF) Team at sec-cert@nist.gov to request a copy of the course materials.

• The slide content for each course is available in PowerPoint format. Note that these materials will include the transcription of the narration in the slide notes but will not include the course completion certificate.

• The narrated course content is available in a variety of Learning Management System (LMS) formats, including AICC, cmi5, Experience API (xAPI), and SCORM (1.2, 2004).

Please indicate the course requested, the required format, and a valid email address for receiving the requested material.

Q: Can I use the course material to teach a class?

A: You may present the course materials to support your own cybersecurity learning program; however, attribution to NIST is appreciated. The use of certain NIST-produced content requires permission. Please contact the NIST Risk Management Framework (RMF) Team at sec-cert@nist.gov if you have any questions about using the course materials as part of your curriculum.

Q: Can NIST present this material to my organization as an instructor-led course?

A: The NIST Risk Management Framework (RMF) Team does not have instructors to teach these courses. If you are interested in having a representative from the NIST RMF Team present a more in-depth topic related to the RMF and supporting publications at an upcoming meeting or event, please complete and submit the speaker request form at least 2 weeks prior to the event, and allow up to 5 business days for a decision on the request to be made.

NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the software.

NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.

You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.

The course is also available for organizations who wish to include it in their Learning Management Systems (LMS) in the following LMS standards: SCORM, AICC, xAPI, and cmi5.  For more information, please contact sec-cert@nist.gov.