Skip to content
RMF-CGRC Certification Training

RMF-CGRC Certification Training

$2,495.00 Per Enrollment

Price Includes:

Courseware and ‘Price & Quality Guarantee’

This (ISC)2 RMF-CGRC certification training course is aimed at anyone working in or planning to work in, mid-to higher-level management positions governing information risk and security.

CGRC certification maps closely to the NIST Risk Management Framework (RMF) providing candidates a way to validate their understanding of this essential federal risk management process.

Particularly beneficial for federal government employees, where RMF is mandatory, this course will also benefit similar positions in private organizations that are increasingly integrating all or part of the RFM process into their operations.

Led by an (ISC)² skilled instructor, the CGRC certification training class provides a comprehensive review of information systems security concepts and industry best practices, covering the 7 domains of the CGRC.

CGRC certification satisfies DOD 8570 IAT IAM Level I


Got Questions?

For more information about your specific needs, call us at (301) 220 2802 or complete the form below:

No classes currently scheduled, please call for more information.


Days & Times



"The TrainACE team was great in getting me situated with the classes I need. Very friendly, knowledgeable and intelligent. They were able to map out the right classes to enroll in for my career path. The entire TrainAce team is phenomenal!"

Karen Carboo RMF/CGRC Student


Learn More About RMF-CGRC


Jump To:

    Class Schedule

    • Greenbelt & Live-Online

      08/26/24 - 08/29/24

       Mon-Thu (8:30am-5pm)

    • Greenbelt & Live-Online

      10/28/24 - 10/31/24

       Mon-Thu (8:30am-5pm)

    Get your RMF-CGRC Certification Training training in our convenient IT training centers in Maryland or Virginia.


    What is RMF?

    The Risk Management Framework (RMF) was created by the National Institute of Standards and Technology (NIST) to help secure Federal information systems. The framework provides standards, processes, and guidelines for risk management in securing computers and networks.

    RMF is a highly structured process that incorporates information security, risk management, and privacy activities into a seven-step system development cycle:

    • Prepare – Setting up the RMF by defining context and priorities for managing privacy and security at the system and organizational levels
    • Categorize – Conduct an impact analysis to determine the chosen information system and the data stored in, processed by, and transmitted by that system
    • Select – Based on the security categorization determine baseline security controls for the chosen information system
    • Implement – Action the previously determined security controls
    • Assess – Have a third party review the security controls and have them ensure those controls are applied to the system properly
    • Monitor – Continuously review security controls within the information system based on the previously documented processes

    While RMF is primarily used throughout the Federal government, some private companies have adopted all or part of the RMF process so that their operations dovetail neatly with their government contracts. More commonly, however, many private companies have adopted NIST's Cybersecurity Framework (CSF), elements of which also align with RMF.


    What is CGRC and How is it Related to RMF?

     Certified Authorization Professional (CGRC) is an IT certification offered by (ISC)2. Aimed primarily at information security practitioners, CGRC certification maps closely to the NIST Risk Management Framework (RMF), providing a way for IT professionals to prove their knowledge of this important federal risk management process.

    CGRC training and certification is particularly important for anyone working for the US federal government, but also for those people in private businesses that work or are hoping to work on government contracts. Many organizations around the Washington DC region, including Maryland and Virginia, have adopted all or part of the RMF process in their day-to-day operations.


    If you're looking to progress up the cybersecurity chain of command in an organization you'll need to delve deeper into risk management. RMF-CGRC training and certification will prove that you understand the fundamentals of this critical management function and ready you for executive-level positions when the time comes.

    Once you have your security basics down, maybe attained CompTIA Security+, but certainly gained several years experience in IT, RMF-CGRC training will take you to the next level and prepare you for management roles.

    TrainACE's RMF/CGRC course is designed for IT professionals with some experience in information security.  You will be a practitioner who champions system security commensurate with an organization’s mission and risk tolerance while meeting legal and regulatory requirements.

    RMF-CGRC training mirrors the NIST system authorization process in compliance with the Office of Management and Budget (OMB) Circular A-130, Appendix III. Led by a qualified (ISC)² instructor, the CGRC training seminar provides a comprehensive review of information systems security concepts and industry best practices, covering the 7 domains of the CGRC.

    Several types of activities are used throughout the course to reinforce topics and increase knowledge retention. These activities include open-ended questions from the instructor to the students, group assignments, matching and poll questions, group activities, open/closed questions, and group discussions. Each activity was developed to support the learning appropriate to the course topic.

    Organizations of all sizes in the Washington DC region understand the importance of information security and continue to invest large sums in relevant technology and skilled personnel. This investment has been validated by the fact that numerous government employees in Information Assurance (IA) positions, and any contractors who serve IA functions, are now required to have a CGRC certification. This requirement was initiated as part of the DoD-8570 directive and directly applies to entry and mid-level IT personnel.

    At TrainACE, our (ISC)² classes are taught by certified IT security professionals in Maryland, Virginia, or DC with a minimum of 3 years of teaching experience. Our instructors are also required to have IT security and cybersecurity experience along with additional, supplementary certifications and continued education in the industry. All classes are 32 hours long and available as daytime, evening, or weekend schedules.

    Signup today for our convenient 4-day RMF-CGRC boot camp!


    What you need to know before taking RMF-CGRC training


    (ISC)² RMF-CGRC is a mid-level certification that requires a minimum of two years of documented experience in one or more of the seven CGRC domains. You may take the certification exam prior to completing the experience requirement, but you must then complete the experience requirement in order to gain full accreditation.

    This RMF-CGRC Bootcamp is appropriate for Managers, system owners, and IT/security personnel that are either transitioning to or implementing risk management fundamentals for the first time.


      What Are the Benefits of RMF-CGRC Certification in DC?

      With a large concentration of government and military organizations around the Washington DC region the advantage of gaining mid-level risk management skills should be fairly self-evident. Anyone looking to climb the cybersecurity or risk management career ladder can do well in a region where many security-conscious organizations are based.

        How Long Does RMF-CGRC Training Take?

        TrainACE’s RMF-CGRC training and certification course is a four-day deep dive into risk management knowledge. It will establish set you on a path to large-scale risk management planning required by higher-level security positions.

        Exam and Certification Requirements:

        For full accreditation, you must have at least two years of cumulative paid work experience in at least one of the seven domains of the CGRC Common Body of Knowledge.

        Current CGRC exam:

        • 3 hours
        • 125 questions
        • Passing Score 700 out of 1000 points


        Is RMF-CGRC Certification Worth It?

        If you work or intend to work, for the US government or military, in any type of information assurance role, being able to validate that you understand RMF processes is essential. Getting your CGRC certification is the best way to do that and is certainly worth it.

        Outside of the federal workforce, RMF is increasingly being adopted by companies that work with the government. This is particularly true around Washington DC, Maryland, and Virginia, where a large proportion of IT companies are taking on government contracts that require security-aware technicians.

        Having a CGRC level of certification not only proves you understand the technical aspects of risk management but carries with it the assurance that you have a number of years of experience working in the IT security field.


        What will I learn in this RMF-CGRC class?

        Topics & Concepts Covered in Our RMF/CGRC Training Include:

        • Risk Management Process & Framework

        • Information Security, FISMA, C&A

        • System Identification (SIP)

        • Risk & Its Relation to Threat, Vulnerability & Control Relationships

        • Assessment & Accreditation Process

        • Configuration Management

        • Security Assessment and Authorization

        This training course will help candidates review and refresh their information security knowledge and help identify areas they need to study for the CGRC exam and features:

        • Approved (ISC)² courseware

        • Taught by an authorized (ISC)² instructor

        • Student handbook

        • Collaboration with classmates

        • Real-world learning activities and scenarios

        Additional Facts & FAQs

        What is the Risk Management Framework (RMF)? The Risk Management Framework (RMF) is a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risks.

        1. What guide is the RMF most commonly associated with? RMF is most commonly associated with the NIST SP 800-37 guide for "A Security Life Cycle Approach."

        2. What are the steps of the RMF process? The RMF process includes the steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

        3. What is the purpose of the RMF? The RMF is used for initially securing the protection of systems through an authorization process and then continuously monitoring and managing the security risks.

        4. Where is the RMF process carried out? The RMF process is carried out mostly in tier III of the tiered risk management hierarchy, but interactions with tiers I and II are not uncommon, such as communicating assessment results.

        5. What does the Prepare step of the RMF process involve? The Prepare step of the RMF process includes all the essential activities required for the organization to manage security and privacy risks.

        6. What does the Categorize step of the RMF process involve? The Categorize step of the RMF process involves documenting the system architecture and functions, as well as categorizing the impact levels and types of the information the system will handle.

        7. What does the Select step of the RMF process involve? The Select step of the RMF process involves selecting the set of NIST SP 800-53 controls to protect the system based on risk assessments.

        8. What does the Implement step of the RMF process involve? The Implement step of the RMF process involves implementing the controls and documenting how controls are deployed.

        9. What does the Assess step of the RMF process involve? The Assess step of the RMF process involves determining if the controls are in place, operating as intended, and producing the desired results.

        10. What does the Authorize step of the RMF process involve? The Authorize step of the RMF process involves a senior official making a risk-based decision to authorize the system to operate.

        11. What does the Monitor step of the RMF process involve? The Monitor step of the RMF process involves continuously monitoring control implementation and risks to the system.

        12. Why is the RMF process fundamental? The RMF process is fundamental for the implementation of the Federal Information Security Management Act.

        13. Who uses the RMF process? The Department of Defense is replacing the old security management program legacy Certification of Federal Risk Management Framework is now used in the departments and agencies of federal government.

        14. Why is a continuous monitoring strategy required in the RMF process? A continuous monitoring strategy is required in the RMF process to determine whether the security controls work. Continuous monitoring activities support the concept of near real-time risk management.