A tailored course, built for your situation
Audit-Tested Cyber Risk Quantification for Public-Sector Programs
Implementable risk quantification frameworks aligned with public-sector audit standards
The situation this course is for
Public-sector programs face increasing pressure to demonstrate measurable cyber risk resilience. Traditional qualitative methods are no longer sufficient. Assessments that lack audit-grade documentation or fail to align with control frameworks often result in findings, delayed approvals, and loss of stakeholder confidence. Practitioners need structured, repeatable methods to quantify risk in ways that satisfy compliance reviewers and support strategic investment.
Who this is for
Risk officers, compliance leads, IT governance professionals, and program managers in federal, state, and local government programs or contractors supporting public-sector missions
Who this is not for
Entry-level IT staff without risk or compliance responsibilities, vendors focused solely on commercial-sector frameworks, or individuals seeking certification prep
What you walk away with
- Apply audit-tested methods to quantify cyber risk in public-sector contexts
- Align risk models with NIST, FISMA, and OMB compliance expectations
- Document risk assessments to withstand external audit scrutiny
- Integrate risk quantification into budget and procurement decision cycles
- Lead cross-functional teams using repeatable, defensible risk frameworks
The 12 modules (with all 144 chapters)
- Defining mission-aligned risk tolerance
- Public-sector vs. commercial risk contexts
- Regulatory drivers: FISMA, NIST, OMB
- The audit lifecycle and risk documentation
- Stakeholder alignment in risk programs
- Risk ownership models in decentralized agencies
- Budget cycles and risk planning alignment
- Ethical considerations in public-sector quantification
- Transparency and public accountability
- Documentation standards for external review
- Baseline control frameworks and risk adjustment
- Case study: Municipal IT risk assessment
- Designing for audit defensibility
- Mapping risk to control frameworks
- Evidence collection protocols
- Version control for risk models
- Change management in risk frameworks
- Third-party validation pathways
- Documentation for reproducibility
- Risk model peer review processes
- Maintaining independence and objectivity
- Audit trail creation for risk decisions
- Cross-agency framework alignment
- Case study: Federal grant program review
- From qualitative to quantitative assessment
- Probability estimation for cyber events
- Loss magnitude modeling
- Monte Carlo simulation basics
- Scenario selection and weighting
- Data sourcing for public-sector models
- Calibrating models to historical incidents
- Sensitivity analysis techniques
- Confidence intervals in risk estimates
- Presenting uncertainty to decision-makers
- Model validation checkpoints
- Case study: State-level cyber incident projection
- NIST CSF as a risk quantification scaffold
- Mapping controls to risk reduction
- RMF phase integration points
- Inherent vs. residual risk measurement
- Control effectiveness scoring
- Quantifying risk reduction per control
- Gap analysis with quantitative output
- Tiered risk reporting for leadership
- Crosswalk between CSF and audit criteria
- Automating control-to-risk mappings
- Updating models after control changes
- Case study: Federal agency CSF adoption
- FISMA reporting requirements
- OMB A-130 alignment points
- Annual assessment documentation
- Risk thresholds for reporting
- Agency-specific policy mapping
- Documentation for OIG review
- Risk exceptions and justification
- Continuous monitoring integration
- Automated evidence collection
- Executive summary standards
- Inter-agency risk data sharing
- Case study: Multi-agency compliance review
- Third-party risk lifecycle
- Quantifying supply chain exposure
- Contractual risk transfer mechanisms
- Audit rights and access provisions
- Vendor risk scoring models
- Subcontractor oversight requirements
- Incident response coordination
- Financial impact of vendor breaches
- Geopolitical risk factors
- Due diligence documentation standards
- Exit strategies and contingency planning
- Case study: Government contractor review
- Translating risk to mission impact
- Executive summary frameworks
- Visualizing risk for non-technical audiences
- Budget justification with risk data
- Scenario planning for decision-makers
- Risk appetite articulation
- Board-level reporting cadence
- Handling dissenting views
- Public communication considerations
- Press and media risk narratives
- Long-term trend reporting
- Case study: Public health agency briefing
- Grant lifecycle risk exposure
- Funding conditionality and risk
- Subaward risk management
- Compliance monitoring for grantees
- Reporting requirements for risk events
- Auditor expectations in grant reviews
- Risk allocation in cooperative agreements
- Documentation for pass-through entities
- Risk in multi-year grants
- Budget reallocation due to risk
- Closeout risk considerations
- Case study: Federal education grant program
- Post-incident risk reassessment
- Updating probability estimates
- Loss experience adjustments
- Root cause to control gap mapping
- Audit findings as risk inputs
- Lessons learned integration
- Revised risk scenarios
- Stakeholder communication post-event
- Regulatory reporting alignment
- Insurance claims and risk models
- Reputation risk quantification
- Case study: Ransomware event follow-up
- Interagency risk data sharing
- Common risk taxonomies
- Joint risk assessment protocols
- Memoranda of understanding
- Centralized vs. decentralized models
- Risk aggregation methods
- Dispute resolution mechanisms
- Federated risk governance
- Information sharing agreements
- Privacy considerations in collaboration
- Standardized reporting formats
- Case study: Regional emergency response network
- Selecting risk quantification platforms
- Integration with existing GRC tools
- Data pipeline design
- User access and permissions
- Change management planning
- Training for risk teams
- Pilot program design
- Metrics for program success
- Vendor selection criteria
- Open-source vs. commercial tools
- Maintaining model relevance
- Case study: State IT risk platform rollout
- Annual review processes
- Updating models for new threats
- Staff turnover and knowledge transfer
- Continuous improvement cycles
- Benchmarking against peers
- Regulatory change monitoring
- Stakeholder feedback loops
- Audit preparation cycles
- Succession planning for risk roles
- Modernization roadmaps
- Scaling programs across agencies
- Case study: Multi-year risk maturity journey
How this maps to your situation
- Preparing for federal audit review
- Designing a new risk program for a public-sector agency
- Responding to increased board oversight of cyber risk
- Leading third-party risk assessments for grant compliance
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 3 hours per week over 12 weeks to complete all modules, exercises, and playbook integration.
How this compares to the alternatives
Unlike generic risk courses, this program focuses exclusively on public-sector audit requirements, compliance integration, and implementation in mission-driven environments. It provides field-tested templates and a custom playbook not available in certification prep or commercial-sector focused training.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.