Skip to main content

Navigation

Catalogue

Security Awareness Privacy & Compliance AI & LLM Security Real-World Incidents

By Industry

Healthcare Financial Services Government Manufacturing Retail & E-commerce Education Legal Services SaaS & Technology Managed Service Providers Non-Profit

By Use Case

Employee Onboarding Annual Compliance Cyber Insurance Readiness Audit Evidence Prep Remote Workforce Contractor & Vendor Breach Response Rehearsal M&A Due Diligence LMS Migration Board-Level Reporting

Threat Library

Phishing Ransomware Deepfake Social Engineering Business Email Compromise AI Prompt Injection

Product

Features SCORM FAQ

Resources

Blog Glossary CISO Guide Compliance Mapping Free Exercises Product Data Sheet

Company

About Us Partnerships Vendor Comparisons Contact

Legal

Security & Compliance Privacy Policy Terms of Service
English Українська
Book a Demo
For Government

Security Awareness Training for Government & Public Sector

Compliance-grade simulations for federal civilian, DoD contractor, state, local, and tribal workforces. Nation-state phishing, ransomware, supply-chain attacks, and CUI handling, mapped to NIST 800-171, CMMC 2.0, FISMA, and CJIS Security Policy training requirements.

By Last reviewed

Why Government Workforces Need Threat-Specific Training

Government and public-sector entities are now the second most-targeted ransomware sector after healthcare, according to recent CISA #StopRansomware advisories. Local governments, school districts, courts, and state agencies have lost weeks of operations to attacks that started with a single phishing email or stolen contractor credential. Federal civilian agencies and DoD contractors face the additional pressure of nation-state actors who design intrusion campaigns specifically to bypass generic awareness training.

The compliance stack is dense and getting denser. NIST SP 800-171 Revision 3 governs CUI protection across the defense industrial base. CMMC 2.0 makes those controls auditable through third-party assessments at Levels 2 and 3. FISMA, NIST SP 800-53, FedRAMP, OMB M-22-09 zero-trust, and CJIS Security Policy 5.13.1 all require security awareness training, with increasingly specific evidence demands.

RansomLeak delivers role-aware training that satisfies federal, state, local, and contractor obligations in a single platform. Interactive 3D simulations rehearse the decisions that matter for grant administrators, ATO sponsors, contracting officers, sysadmins, and CUI handlers. Authority-to-operate packages, SCORM exports, and audit evidence are formatted to the way assessors actually request them.

Threat Patterns Specific to Government

1

Nation-state phishing and APT impersonation

Federal agencies and contractors face spear-phishing campaigns from APT28, APT29, APT41, and other state-sponsored groups. Generic anti-phishing content does not prepare staff for credential-harvesting lures designed by professional intelligence services.

2

Ransomware on local government and schools

Counties, cities, courts, and K-12 districts have absorbed multi-week outages from Ryuk, Conti, BlackCat, and Royal. CISA #StopRansomware guidance now explicitly names workforce training as a foundational defense for the public sector.

3

Supply-chain compromise via contractors

SolarWinds, MOVEit, and 3CX showed how a single contractor or vendor breach can cascade across federal agencies. Contractor workforces need training that covers their role in protecting CUI, not just their own data.

4

BEC against grant recipients and procurement

State and local governments lose millions annually to wire-fraud schemes targeting grant disbursements, vendor payments, and capital projects. Procurement, finance, and program staff need scenario practice for verifying payment changes.

5

MFA bypass via tech-support and help-desk scams

The Lapsus$ and Scattered Spider playbook of social-engineering the help desk into resetting MFA continues to land. Help-desk staff need rehearsed protocols for identity proofing before any account or MFA change.

Compliance Frameworks This Page Covers

Mapping to the regulations that drive most government & public sector buying decisions.

NIST SP 800-171 (CUI protection)

Family 3.2 Awareness and Training requires that organizations protecting CUI ensure managers, sysadmins, and users are aware of security risks and trained on the controls that apply to them. Defense and federal contractors are bound to this through DFARS 252.204-7012.

CMMC 2.0

CMMC Levels 1, 2, and 3 each include awareness and training practices derived from NIST 800-171 and 800-172. Level 2 and Level 3 require third-party assessment, with evidence packages that include training records and role-based content mapping.

NIST SP 800-53 and FISMA

Awareness and Training (AT) control family applies to all federal information systems. Annual training, role-based training, and documented evidence are baseline expectations across moderate and high-impact systems.

CJIS Security Policy

Section 5.13.1 of the FBI CJIS Security Policy requires basic and advanced security awareness training for all personnel with access to criminal-justice information, with content covering specific topics across law-enforcement, dispatch, and IT roles.

OMB M-22-09 zero-trust and FedRAMP

Zero-trust strategy and FedRAMP authorization both reinforce phishing-resistant authentication and incident-reporting expectations. Training has to align with the agency or CSP-specific implementation, not a generic federal baseline.

Featured Exercises for Government & Public Sector

Pulled from the 100+ exercise catalogue, prioritized for this industry.

Phishing Email Detection

Almost every public-sector intrusion begins with a phishing email, including most state ransomware events. The single highest-leverage exercise for federal, state, and local staff.

Try the exercise

Ransomware First-Hour Response

Walks through CISA-aligned containment decisions, internal escalation, and what NOT to do during an active incident. Tuned to public-sector reporting paths.

Try the exercise

Social Engineering Defense

Help desks, procurement, and front-office staff face pretexting calls daily. Rehearses the identity-proofing protocol that stops Scattered Spider-style MFA-reset attacks.

Try the exercise

AI-Powered Phishing

Nation-state and criminal actors now use generative AI to remove the tells federal staff were trained to spot. This exercise updates detection habits to the current threat.

Try the exercise

Intentional Insider Threat

NIST SP 800-53 IR-5 and CNSSD 504 expectations make insider-threat awareness a baseline control. Practical scenarios for spotting and reporting concerning behavior.

Try the exercise

MFA Setup and Phishing-Resistant Authentication

OMB M-22-09 and CISA guidance push the entire federal civilian executive branch toward phishing-resistant MFA. This exercise covers FIDO2, push fatigue, and recovery flows.

Try the exercise
See the full 100+ exercise catalogue

Threats this program covers

Read the pillar guide for each attack type and the exercises that train against it.

Phishing

Ransomware

AI Prompt Injection

What Is Security Awareness Training for Government?

Security awareness training for government is a compliance-driven education program that prepares federal, state, local, tribal, and contractor workforces to recognize and respond to nation-state, criminal, and insider threats targeting public-sector systems and CUI. It is required by NIST SP 800-171 family 3.2, CMMC 2.0 awareness and training practices, NIST SP 800-53 AT controls under FISMA, and CJIS Security Policy 5.13.1, plus agency-specific overlays.

In practice, government training has to cover more than baseline phishing detection. It must rehearse role-specific decisions for ATO sponsors, contracting officers, grant administrators, help-desk identity proofing, CUI handling, and incident reporting through US-CERT or agency SOC channels. CISA #StopRansomware guidance and zero-trust strategy under OMB M-22-09 both push toward measurable behavior change rather than completion records.

RansomLeak delivers training through interactive 3D simulations rather than passive videos. The platform exports SCORM 1.2 and 2004 packages to agency and contractor LMSes, supplies audit-ready evidence packages mapped to NIST 800-171, CMMC 2.0, FISMA, and CJIS, and includes scenarios for nation-state phishing, ransomware, supply-chain compromise, BEC, deepfake calls, and MFA-reset social engineering. Contractors get a single export per CMMC assessment.

Frequently Asked Questions

What buyers in government & public sector ask most often.

Does RansomLeak training satisfy NIST SP 800-171 and CMMC 2.0?

Yes. The catalogue maps to NIST 800-171 family 3.2 awareness and training and to the equivalent CMMC 2.0 practices at Levels 1, 2, and 3. Per-employee evidence reports and role-based content matrices are formatted for C3PAO assessment review.

Do you support CJIS Security Policy 5.13.1 training requirements?

Yes. Basic and advanced topics under Section 5.13.1 are covered, including content on access control, password management, social engineering, malicious code, and reporting. The platform tracks the role-specific content required for personnel with physical, logical, or technical access to CJI.

How does this work for DoD contractors under DFARS 252.204-7012?

Contractors must implement NIST 800-171 controls, including awareness and training. RansomLeak provides the training delivery and the audit evidence, and the SCORM exports let prime contractors push consistent content to subcontractors through any LMS. Reports support both DoD self-assessment and CMMC third-party assessment.

Can we use this for state, local, and tribal workforces?

Yes. The catalogue covers state IT, local government, K-12, public-safety, and court workforces, including ransomware and BEC scenarios specifically observed in CISA #StopRansomware advisories targeting the SLTT sector. State CIOs and homeland-security advisors run the platform across multi-agency footprints.

How is the content kept current with the federal threat picture?

New exercises ship monthly and existing scenarios are updated when CISA advisories, JCDC alerts, or NSA cybersecurity advisories change the threat picture. Recent updates added deepfake voice cloning, AI-powered phishing, and Scattered Spider-style help-desk social engineering.

Does the platform integrate with our agency or contractor LMS?

Every exercise exports as SCORM 1.2 and SCORM 2004, tested with 50+ LMSes including Cornerstone, Saba, Workday, SAP SuccessFactors, Moodle, Docebo, and Canvas. For agencies and contractors without an LMS, the cloud platform offers SSO, MFA, and segregated tenants.

Is the platform itself FedRAMP or StateRAMP authorized?

The cloud platform is built on FedRAMP-authorized infrastructure components. For agencies that require a fully authorized SaaS, RansomLeak provides SCORM packages that run inside an existing FedRAMP-authorized LMS, keeping all data within the agency boundary.

Related Reading

Compliance Training for Regulated Industries

Read article

Ransomware Awareness Training for Employees

Read article

Insider Threat Training for Workforces

Read article

Phishing Simulation Training Guide

Read article

Security Awareness Training Guide

Read article

Bring This Program to Government & Public Sector

Book a 30-minute walkthrough tailored to your workforce, LMS stack, and audit timeline.

Book a Demo Browse Free Catalogue