Practitioner-led workshops, intensives, and bootcamps covering the compliance frameworks that govern defense, federal, and SLED programs. Every session is led by Carl B. Johnson, President & CISO of Cleared Systems, drawing on direct assessment and remediation experience across CMMC, NIST 800-171, ITAR, DFARS, FedRAMP, and ISO 27001 engagements.
A focused workshop for defense contractors preparing for a CMMC Level 2 third-party assessment. Covers scope determination, the 110 NIST 800-171 practices, common assessor findings, evidence packaging, and remediation planning to close gaps before the C3PAO arrives.
Five-day intensive walking through every NIST SP 800-171 Rev. 3 control family. Each day covers two to three families with hands-on exercises in policy drafting, control implementation, and evidence collection. Includes downloadable templates and a mock self-assessment.
Two-day intensive on building and operating an ITAR compliance program. Covers DDTC registration, USML categorization, technical data controls, deemed export rules, brokering compliance, and recordkeeping. Includes case studies from defense manufacturing engagements.
A practitioner-led tabletop exercise walking through the DFARS 7012 incident response timeline: 72-hour DIBNet reporting, evidence preservation, malware submission, damage assessment, and subcontractor notification. Designed for compliance and IT leadership at DoD contractors.
End-to-end masterclass on the FedRAMP authorization process for cloud service providers. Covers Low/Moderate/High baseline selection, FedRAMP Ready vs Authorized, agency sponsor strategy, 3PAO selection, ConMon obligations, and budget planning. Includes lessons learned from recent authorizations.
Practitioner workshop on Controlled Unclassified Information identification, banner marking, portion marking, dissemination controls, and decontrol procedures. Aligned to NARA CUI Registry categories and 32 CFR Part 2002 requirements. Critical training for any organization receiving federal data.
Two-day intensive for technology leaders stepping into virtual CISO responsibility. Covers risk assessment methodology, policy framework selection, compliance roadmap construction, board reporting, and budget defense. Designed for fractional CISOs and compliance directors at small-to-midsize federal contractors.
Workshop for U.S. subsidiaries of foreign-owned parent companies pursuing or maintaining facility security clearances. Covers Foreign Ownership, Control, or Influence (FOCI) determinations, mitigation instruments (Voting Trust, Proxy Agreement, Special Security Agreement), and Industrial Resource Action Plan (IRAP) requirements under DCSA oversight.
Masterclass on assessing the maturity of an existing compliance program against industry benchmarks. Uses the CMMI for Cybersecurity model and NIST CSF Implementation Tiers to score people, process, and technology dimensions. Output is a board-ready maturity report and three-year roadmap. Useful for new CISOs and incoming compliance directors.
Five-day on-site bootcamp simulating a CMMC Level 2 assessment. Includes scope review, control walk-throughs, evidence sampling, interview practice, and a mock final assessment. Each participant receives an individualized gap report and remediation roadmap aligned to current Cyber-AB assessment expectations.
Three-day course preparing internal auditors for ISO 27001:2022 ISMS audits. Covers Annex A control structure (organizational, people, physical, technological), risk-based audit planning, evidence collection, nonconformity classification, and audit reporting. Aligns to ISO 19011 audit principles.
A focused workshop on operationalizing DFARS 7012 cyber incident reporting through the DIBNet portal. Covers event triage, the 72-hour clock, mandatory data fields, DC3/DCISE coordination, and post-report subcontractor flow-down. Includes redacted examples from real incident reports.
Five-day deep dive into NIST SP 800-53 Rev. 5 control families as applied in FedRAMP authorizations. Each day covers four to five control families with FedRAMP-specific parameter values, common implementation patterns, and 3PAO assessment criteria. Includes baseline crosswalk from Rev. 4.
Workshop on Privileged Access Management requirements across NIST 800-171 (3.1.1, 3.1.5, 3.1.7), NIST 800-53 (AC-2, AC-6), and CMMC L2. Covers PAM tool selection (CyberArk, BeyondTrust, Delinea), session recording, just-in-time access, and the evidence assessors expect. Includes implementation patterns for cloud and on-premises environments.
Workshop on Export Administration Regulations compliance for software, hardware, and technology firms. Covers ECCN classification methodology, the Commerce Country Chart, license exceptions, the Entity List, deemed export rules, and recordkeeping. Companion piece to the ITAR session for dual-use exporters.
Targeted workshop for contractors handling Federal Contract Information (FCI) only. Walks through the 17 FAR 52.204-21 practices that constitute CMMC Level 1, the annual self-assessment requirement, SPRS posting, and the affirmation process. Most concise path to CMMC compliance for non-CDI contractors.
Two-day intensive for vendors and integrators serving state, local, and tribal law enforcement. Covers FBI CJIS Security Policy v5.9 areas including personnel screening, advanced authentication, encryption standards, audit logging, and incident response. Critical for SaaS providers with criminal justice information system access.
Hands-on masterclass building a System Security Plan and Plan of Action & Milestones suitable for CMMC Level 2 submission. Covers system boundary documentation, control implementation statements, evidence cross-references, and the SPRS scoring methodology. Participants leave with templated artifacts.
Workshop on HIPAA Security Rule implementation for organizations supporting federal healthcare programs (VA, IHS, CMS, DHA). Covers administrative, physical, and technical safeguards, business associate agreements, the relationship to NIST 800-66, and the intersection with FedRAMP for cloud-hosted ePHI.
Workshop on the StateRAMP authorization process for cloud service providers selling to state and local agencies. Covers the StateRAMP Security Snapshot, Ready vs Authorized status, baseline selection, the difference from FedRAMP, and the Product Authorization Management process. Includes timing and budget planning.
Two-day intensive on the NIST Secure Software Development Framework (SSDF), Software Bill of Materials generation, and the OMB M-22-18 attestation requirements for federal contractors. Covers tooling, format selection (SPDX vs CycloneDX), vulnerability disclosure, and CISA self-attestation form completion.
Workshop applying NIST SP 800-30 Rev. 1 to a sample federal contractor environment. Covers threat source characterization, vulnerability identification, likelihood and impact analysis, risk determination, and risk response. Output is a defensible risk assessment artifact suitable for ATO packages and CMMC evidence.
Five-day bootcamp on planning and executing a Microsoft 365 GCC High migration for defense contractors. Covers tenant procurement, identity migration, mailbox cutover, SharePoint/OneDrive content moves, Teams configuration, AIP labeling, and CMMC-aligned configuration baselines. Includes lessons from recent CDI tenant migrations.
Workshop on designing a vulnerability management program meeting NIST SP 800-171 control 3.11 and CMMC L2 expectations. Covers asset inventory, scanner selection (Tenable, Rapid7, Qualys), scanning cadence, the CISA KEV integration, remediation SLAs, exception management, and metrics for executive reporting. Includes sample policy and procedure templates.
Workshop for organizations winning their first DoD contract or entering the Defense Industrial Base. Covers the cybersecurity clause stack (DFARS 7012, 7019, 7020, 7021), CMMC level determination, SPRS account setup, the gap-assessment-to-implementation roadmap, and budgeting for compliance overhead.
Two-day intensive on architecting AWS GovCloud (US) workloads to support ITAR-controlled and CMMC-scoped data. Covers account structure, IAM and SCP design, encryption with KMS, logging strategies, the AWS shared responsibility model in GovCloud, and the FedRAMP/DoD IL inheritance model.
Workshop applying the NIST Cybersecurity Framework 2.0 to build organizational and target profiles. Covers the new Govern function, the Implementation Tiers, profile-driven gap analysis, and the relationship between CSF and other frameworks (NIST 800-53, ISO 27001, CMMC). Useful for boards and executive briefings.
Masterclass on assembling assessment-grade evidence packages for CMMC Level 2. Covers evidence types (interviews, examination, testing), the artifact-to-control mapping, evidence storage and access controls, common assessor requests, and avoiding the most frequent evidence gaps that cause assessment delays.
Two-day intensive for Facility Security Officers and personnel security teams at cleared defense contractors. Covers NISPOM Rule (32 CFR Part 117) requirements, DISS workflows, SF-86 processing, continuous evaluation, foreign contact reporting, and DCSA security review preparation. Includes recent NISP enforcement trends.
Workshop on operationalizing Zero Trust Architecture per OMB M-22-09 and CISA Zero Trust Maturity Model 2.0. Covers the five pillars (identity, devices, networks, applications, data), maturity assessment, the federal ZTA roadmap, and implementation patterns for contractors aligning to agency Zero Trust mandates.
Workshop on preparing for a SOC 2 Type II examination. Covers Trust Services Criteria selection, control design, the audit period, evidence collection cadence, common auditor findings, and the relationship between SOC 2 and other frameworks (ISO 27001, FedRAMP, HIPAA). Targeted at SaaS providers with enterprise customers.
Five-day bootcamp on the CMMC 2.0 Final Rule (32 CFR Part 170) implementation requirements for defense contractors. Covers the rolling phase-in, level determination, scope and inheritance, the assessment ecosystem, and operational considerations including ESPs, FedRAMP equivalency, and external service provider risk. Reflects the most current DoD CIO guidance.
Workshop on operating a FedRAMP-authorized cloud service in production. Covers monthly POA&M reporting, vulnerability scanning cadence, significant change requests, annual assessment preparation, and the FedRAMP PMO escalation process. Designed for CSPs and 3PAOs maintaining authorizations.
Workshop on the federal cybersecurity clause landscape across FAR and DFARS. Covers FAR 52.204-21 (basic safeguarding), FAR 52.204-25 (covered telecommunications), FAR 52.204-27 (TikTok prohibition), DFARS 252.204-7012/7019/7020/7021, and the proposed FAR Case 2021-019 government-wide CUI rule. Useful for contracts and compliance teams.
Workshop on the FTC Safeguards Rule (16 CFR Part 314) requirements applicable to higher education, financial services, and any organization meeting the financial institution definition. Covers the 9 elements of the information security program, board reporting, the Qualified Individual role, and the 30-day breach notification trigger.
Cleared Systems delivers customized on-site or virtual training for compliance teams, IT departments, and executive briefings. Schedule a session aligned to your specific framework requirements and team experience level.
Request Private Training
