The comprehensive CNSS-4016 Risk Analysis Certification and the Federal Risk Management Framework (RMF) training for Information System Security Managers (ISSM's), Certification Agents and Security Control Assessors (SCA's) has application to both computing hardware and software environments. More specifically, the CNSS-4016 Risk Analysis Certification and Risk Management Framework (RMF) practicum and methodology is expressly designed for cybersecurity practitioners that exercise security or Assessment and Authorization (A&A) as well as Program or Acquisition Management control over critical information infrastructures. This certification program provides intense, highly concentrated, technical, non-technical professional training necessary to achieve the fundamental knowledge, skills, and abilities needed to analyze, assess, control, determine, mitigate and manage risks within large computer systems that store, process, display or transmit classified or sensitive information. This certification provides training in knowledge factors and functional requirements established for Intermediate to Advanced Level Risk Analysts and addresses professional processes and policy requirements established within the federal Risk Management Framework (RMF). Specific focus is directed on identifying, implementing and integrating management, acquisition and administrative risk methodologies for securing critical information infrastructures and establishing standards necessary to help protect the confidentiality, maintain the integrity and ensure the availability of critical organizational computing resources within a risk managed framework. Topical areas include those actions and activities necessary to facilitate risk centric analysis and assessment requirements as well as RMF actions and activities necessary to ensure that Authorizing Officials (AO's) have the information necessary to make informed, risk-based decisions. Special attention is directed on analyzing, evaluating, and assessing information system security risks and the procedures necessary to assess the impact and consequence of a realized risk on critical information infrastructures.