Security Awareness Training for Government
Compliance-grade simulations for federal civilian, DoD contractor, state, local, and tribal workforces. Nation-state phishing, ransomware, supply-chain attacks, and CUI handling, mapped to NIST 800-171, CMMC 2.0, and FISMA training requirements.
Why Government Workforces Need Threat-Specific Training
Government and public-sector entities are now the second most-targeted ransomware sector after healthcare, according to recent CISA #StopRansomware advisories. Local governments, school districts, courts, and state agencies have lost weeks of operations to attacks that started with a single phishing email or stolen contractor credential. Federal civilian agencies and DoD contractors face the additional pressure of nation-state actors who design intrusion campaigns specifically to bypass generic awareness training.
The compliance stack is dense and getting denser. NIST SP 800-171 Revision 3 governs CUI protection across the defense industrial base. CMMC 2.0 makes those controls auditable through third-party assessments at Levels 2 and 3. FISMA, NIST SP 800-53, FedRAMP, and OMB M-22-09 zero-trust all require security awareness training, with increasingly specific evidence demands.
RansomLeak delivers role-aware training that satisfies federal, state, local, and contractor obligations in a single platform. Interactive 3D simulations rehearse the decisions that matter for grant administrators, ATO sponsors, contracting officers, sysadmins, and CUI handlers. Authority-to-operate packages, SCORM exports, and audit evidence are formatted to the way assessors actually request them.
Threat Patterns Specific to Government
Nation-state phishing and APT impersonation
Federal agencies and contractors face spear-phishing campaigns from APT28, APT29, APT41, and other state-sponsored groups. Generic anti-phishing content does not prepare staff for credential-harvesting lures designed by professional intelligence services.
Ransomware on local government and schools
Counties, cities, courts, and K-12 districts have absorbed multi-week outages from Ryuk, Conti, BlackCat, and Royal. CISA #StopRansomware guidance now explicitly names workforce training as a foundational defense for the public sector.
Supply-chain compromise via contractors
SolarWinds, MOVEit, and 3CX showed how a single contractor or vendor breach can cascade across federal agencies. Contractor workforces need training that covers their role in protecting CUI, not just their own data.
BEC against grant recipients and procurement
State and local governments lose millions annually to wire-fraud schemes targeting grant disbursements, vendor payments, and capital projects. Procurement, finance, and program staff need scenario practice for verifying payment changes.
MFA bypass via tech-support and help-desk scams
The Lapsus$ and Scattered Spider playbook of social-engineering the help desk into resetting MFA continues to land. Help-desk staff need rehearsed protocols for identity proofing before any account or MFA change.
Compliance Frameworks This Page Covers
Mapping to the regulations that drive most government buying decisions.
NIST SP 800-171 (CUI protection)
Family 3.2 Awareness and Training requires that organizations protecting CUI ensure managers, sysadmins, and users are aware of security risks and trained on the controls that apply to them. Defense and federal contractors are bound to this through DFARS 252.204-7012.
CMMC 2.0
CMMC Levels 1, 2, and 3 each include awareness and training practices derived from NIST 800-171 and 800-172. Level 2 and Level 3 require third-party assessment, with evidence packages that include training records and role-based content mapping.
NIST SP 800-53 and FISMA
Awareness and Training (AT) control family applies to all federal information systems. Annual training, role-based training, and documented evidence are baseline expectations across moderate and high-impact systems.
OMB M-22-09 zero-trust and FedRAMP
Zero-trust strategy and FedRAMP authorization both reinforce phishing-resistant authentication and incident-reporting expectations. Training has to align with the agency or CSP-specific implementation, not a generic federal baseline.
Featured Exercises for Government
Pulled from the 100+ exercise catalogue, prioritized for this industry.
Phishing Email Detection
Almost every public-sector intrusion begins with a phishing email, including most state ransomware events. The single highest-leverage exercise for federal, state, and local staff.
Read the guideRansomware First-Hour Response
Walks through CISA-aligned containment decisions, internal escalation, and what NOT to do during an active incident. Tuned to public-sector reporting paths.
Read the guideSocial Engineering Defense
Help desks, procurement, and front-office staff face pretexting calls daily. Rehearses the identity-proofing protocol that stops Scattered Spider-style MFA-reset attacks.
Read the guideAI-Powered Phishing
Nation-state and criminal actors now use generative AI to remove the tells federal staff were trained to spot. This exercise updates detection habits to the current threat.
Read the guideIntentional Insider Threat
NIST SP 800-53 IR-5 and CNSSD 504 expectations make insider-threat awareness a baseline control. Practical scenarios for spotting and reporting concerning behavior.
Read the guideMFA Setup and Phishing-Resistant Authentication
OMB M-22-09 and CISA guidance push the entire federal civilian executive branch toward phishing-resistant MFA. This exercise covers FIDO2, push fatigue, and recovery flows.
Read the guideThreats this program covers
Read the pillar guide for each attack type and the exercises that train against it.
Frequently Asked Questions
Does RansomLeak training satisfy NIST SP 800-171 and CMMC 2.0?
How does this work for DoD contractors under DFARS 252.204-7012?
Can we use this for state, local, and tribal workforces?
How is the content kept current with the federal threat picture?
Does the platform integrate with our agency or contractor LMS?
Is the platform itself FedRAMP or StateRAMP authorized?
References
Primary sources cited above.
- Cybersecurity Best Practices for Government — Cybersecurity and Infrastructure Security Agency (CISA)
- NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations — NIST
- NIST SP 800-171 Rev. 3: Protecting Controlled Unclassified Information in Nonfederal Systems — NIST
- Cybersecurity Maturity Model Certification (CMMC) Program — U.S. Department of Defense (DoD CIO)
- Multi-State Information Sharing and Analysis Center (MS-ISAC) — Center for Internet Security (CIS)
- FedRAMP Program Documents and Authorization Guidance — FedRAMP Program Management Office (GSA)
- Cybersecurity: Federal Agencies Need to Strengthen Efforts to Address High-Risk Areas — U.S. Government Accountability Office (GAO)
Related Reading
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.