The Cyber Training Academy
& RMF Resource Center
Powered by ECG
Comprehensive Training for the Federal Security Lifecycle.
1. Core RMF Methodology
The foundational courses for mastering the RMF lifecycle.
RMF for DoD IT Training
The industry-standard course for the Department of Defense. This intensive four-day program covers the entire RMF lifecycle (Steps 1-6/7), transitioning from the theoretical "DoD Instruction 8510.01" to the practical application of security controls.
DoD Employees, Contractors, Information System Owners (ISOs), and ISSOs.
- CNSS Instruction 1253
- NIST SP 800-53 Rev 4/5
- DoD Specific Overlays
- The Authorization to Operate (ATO) package
RMF for Federal 2.0
Designed for non-DoD federal agencies, this course focuses on the "Civil" application of RMF as mandated by FISMA. It strips away the DoD-specific terminology and focuses purely on NIST compliance.
Civil Agencies (DHS, NASA, Dept of Energy), Federal Contractors, and Consultants.
- NIST SP 800-37 Rev 2
- FISMA regulations and OMB memorandums
- Privacy overlays required for federal systems
- FIPS 199 Categorization
2. Operational Workshops
Hands-on technical training for the practitioners doing the work.
eMass Simulator
The Enterprise Mission Assurance Support Service (eMASS) is the "system of record" for DoD RMF. This course provides practical, hands-on experience in the tool itself.
- System registration & Updates
- Importing Scan Results (ACAS/STIG)
- Artifact & POA&M management
STIG 101 2.0
The DISA Security Technical Implementation Guides (STIGs) are the technical "hardening" standard. Bridges the gap between policy and the command line.
- DISA STIG Viewer
- SCAP Compliance Checker (SCC)
- Remediating Cat I/II/III vulnerabilities
Security Controls, Implementation and Assessment 2.0
Dedicated entirely to Step 3 (Implement) and Step 4 (Assess). Teaches how to write control descriptions and test them properly.
- Writing "Common Control" descriptions
- Developing audit test plans
- Gathering evidence artifacts
First Responder: Digital Evidence Collection & Triage
Guidelines on the collection and preservation of data relevant to a security incident. Focuses on the "Critical 15 Minutes" following detection.
- Volatile Data Acquisition (RAM)
- Chain of Custody procedures
- Forensic Imaging (Dead box vs. Live)
- Triage Analysis (Logs, Prefetch, Registry)
3. Advanced Strategy & Modernization
Next-level courses for Cloud, Monitoring, and Governance.
Cloud Authorization & FedRAMP Strategy
Moving to the cloud doesn't remove the need for RMF—it complicates it. This course covers the intersection of DoD RMF and FedRAMP, helping you understand the Shared Responsibility Model and how to inherit controls from CSPs.
Cloud Service Providers (CSPs), Mission Owners migrating to cloud, and ISSOs managing cloud-based systems.
Key Topics:- FedRAMP Authorization Process
- DoD Cloud Computing Security Requirements Guide (SRG)
- Inheriting controls from AWS, Azure, and Google Cloud
Continuous Monitoring & Ongoing Authorization
Getting an ATO is Step 1. Keeping it is the rest of your life. This course focuses on Step 6 (Monitor) of the RMF lifecycle, helping you transition from "Snapshot Compliance" (checking boxes every 3 years) to "Continuous Compliance."
ISSOs, Security Control Assessors (SCAs), and System Administrators responsible for patching and monitoring.
Key Topics:- NIST SP 800-137 Guidelines
- Automated monitoring tools & Dashboarding risk
- Maintaining "Ongoing Authorization" status
NIST Cybersecurity Framework (CSF) 2.0
The newly updated NIST CSF 2.0 is the gold standard for voluntary private sector security and is increasingly relevant to federal contractors. It provides a common language for discussing risk with executives.
CISOs, Risk Managers, and Security Directors in both public and private sectors.
Key Topics:- The 6 Core Functions: Govern, Identify, Protect, Detect, Respond, Recover
- Implementation Tiers & Profiles
- Mapping CSF to RMF (NIST 800-53)
RMF Project Management & ATO Strategy
RMF is effectively a massive Project Management exercise. This course applies PMI standards (PMP/CAPM) specifically to the RMF authorization process, teaching how to keep the ATO on track and under budget.
Program Managers (PMs), ISSMs, and ISSOs leading authorization efforts.
Key Topics:- RACI charts for security roles
- Critical path analysis for ATOs
- Resource leveling & Communication plans
4. Certification Preparation
DoD 8570/8140 Compliance Training.
CGRC (formerly CAP)
The premier certification for RMF practitioners. Validates your ability to authorize and maintain information systems.
Request Schedule →CISSP
The gold standard for information security leadership. Covers the 8 domains of the (ISC)² CBK.
Request Schedule →CompTIA Security+ / CySA+
Baseline technical certifications for the workforce. Required for IAT Level II and various CSSP roles.
Request Schedule →5. Bundled Programs Overview
Quality + Value: Combine courses to maximize training budget.
Program Update: The bundles below are examples of our most popular combinations. The current logic applies to our updated course catalog: Purchase the "RMF for DoD IT" (4-Day) class + any 1-Day supplemental class to receive a significant discount.
Build Your Own Bundle
The Cyber Training Academy offers several “Bundling” opportunities. By combining our core RMF for DoD IT or RMF for Federal 2.0 classes with any combination of our 1-day online supplemental classes, our customers receive a reduced price.
1 Select Core Class
- RMF for DoD IT Training (4 Days)
- RMF for Federal 2.0 Training (4 Days)
2 Add Supplemental Classes (1 Day)
Sample Bundle Configurations
The Practitioner Bundle
Ideal for ISSOs managing systems daily.
- ✅ RMF for DoD IT
- ✅ STIG Compliance (101)
- ✅ Mastering eMASS
Cloud Transition Bundle
For agencies migrating RMF workloads to AWS/Azure.
- ✅ RMF for DoD IT
- ✅ Mastering eMASS
- ✅ RMF in the Cloud
Certification & Strategy
Prepare for the exam and ongoing monitoring.
- ✅ RMF for DoD IT
- ✅ Continuous Monitoring
- ✅ CGRC (CAP) Prep