How long is the NCSP 800-37 Foundation course?

This is a 2-day instructor-led course.

Who should attend this RMF course?

It is ideal for cybersecurity, risk management, governance, and compliance professionals.

Do I need prior RMF experience?

No prior RMF experience is required for this Foundation-level course.

Does the course include certification?

Yes, participants receive the NCSP 800-37 Foundation Certificate and digital badge.

NIST Cybersecurity Professional®
NCSP® 800-37 Foundation Certificate

Build Risk‑Informed Cybersecurity Capability with the NIST SP 800‑37 RMF

NIST Cybersecurity Professional®

NCSP® 800-37 Foundation Certificate

Course Description

Modern organisations face increasing pressure to manage cybersecurity and privacy risks in a structured, repeatable, and defensible way. The NIST SP 800‑37 Risk Management Framework (RMF) provides a comprehensive lifecycle for managing risk across information systems, integrating security and privacy into organisational governance, system development, and operational processes.

The NCSP® 800‑37 Foundation Certificate is a 2‑day, instructor‑led course introducing participants to the principles, lifecycle stages, and governance structures of the NIST RMF. The course explains how RMF supports enterprise‑wide risk management, how it aligns with the NIST Cybersecurity Framework (CSF) 2.0, and how organisations can apply RMF to strengthen assurance, compliance, and operational resilience.

Participants learn how to categorise systems, select and implement controls, assess risk, authorise systems, and maintain continuous monitoring across diverse environments.

What You Will Learn

Participants gain foundational knowledge required to understand and apply the NIST RMF. You will learn:

How the NIST RMF aligns with the NIST CSF 2.0 and supports enterprise risk‑based decision‑making.
The structure, purpose, and scope of NIST SP 800‑37 Rev. 2.
How to apply the seven RMF steps across system lifecycles and organisational governance processes.
How to categorise systems, select controls, and document risk decisions.
How to integrate RMF activities into system development, operations, and continuous monitoring.
How RMF supports assurance, compliance, and organisational resilience.

Course Agenda

Day 1: RMF Foundations, Governance & Early Lifecycle Stages
Module 1: Introduction to NIST SP 800‑37 Rev. 2

Understanding the purpose of the Risk Management Framework, its evolution, and how it integrates security and privacy into organisational processes.

Module 2: RMF Roles, Responsibilities & Governance

Exploring key RMF roles (Authorising Official, System Owner, ISSO, Assessor), governance structures, and organisational risk tolerance.

Module 3: RMF Step 1 — Prepare

Establishing organisational and system‑level readiness, defining risk context, and aligning RMF with enterprise governance.

Module 4: RMF Step 2 — Categorise the System

Applying FIPS 199 and FIPS 200, determining impact levels, and documenting system characteristics.

Module 5: RMF Step 3 — Select Security Controls

Using NIST SP 800‑53 control baselines, tailoring controls, and documenting selection decisions.

Day 2: RMF Implementation, Assessment, Authorisation & Monitoring
Module 6: RMF Step 4 — Implement Security Controls

Implementing technical, operational, and management controls and integrating them into system development processes.

Module 7: RMF Step 5 — Assess Security Controls

Conducting assessments, validating control effectiveness, and preparing assessment reports.

Module 8: RMF Step 6 — Authorise the System

Understanding risk acceptance, authorisation packages, and the role of the Authorising Official.

Module 9: RMF Step 7 — Monitor Security Controls

Implementing continuous monitoring, ongoing authorisation, and maintaining situational awareness.

Module 10: RMF in Practice

Applying RMF across cloud, hybrid, and enterprise environments; aligning RMF with NIST CSF 2.0; and integrating RMF into organisational risk management.

Learning Outcomes

Participants will be able to:

Explain how NIST SP 800‑37 supports the NIST Cybersecurity Framework 2.0 and enterprise risk management.
Describe the seven steps of the RMF and how they integrate into organisational governance.
Categorise systems, select controls, and document risk‑based decisions.
Apply RMF concepts to system development, operations, and continuous monitoring.
Understand the roles and responsibilities required to implement RMF effectively.
Translate NIST SP 800‑37 guidance into actionable practices that strengthen organisational assurance and resilience.

Who Should Attend?

This course is designed for professionals involved in cybersecurity, risk management, and system governance, including:

Cybersecurity & Risk Management Professionals
System Owners & Information System Security Officers (ISSOs)
Governance, Risk & Compliance (GRC) Teams
IT & Security Managers
System Developers & Architects
Assurance & Audit Professionals
Programme & Project Managers supporting system authorisation

Prerequisites

There are no formal prerequisites for this Foundation‑level course, though a basic understanding of cybersecurity, data science, or risk management is helpful.

Participants are provided with:

NIST Cybersecurity Professional® (NCSP®) 800-37 Foundation Certificate courseware including links to further reading and resources.
NIST Cybersecurity Professional® (NCSP®) 800-37 Foundation Certificate, Certificate of Completion.
NIST Cybersecurity Professional® (NCSP®) 800-37 Foundation Certificate digital badge.