Skip to main content
Image coming soon

LAN Hardening for Federal Network Technicians

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

LAN Hardening for Federal Network Technicians

Build the documentation, audit trail, and zero-trust segmentation your SO requires before the next compliance review.

A LAN technician in a federal contractor environment carries two jobs at once: keep the network running, and keep it documented well enough that the STIG assessment does not produce findings. Most of the time those two jobs are in tension. The switch that got reconfigured last Tuesday to fix a latency issue is not yet in the topology map. The VLAN that was provisioned for a new project has an access-control list that was copied from the previous segment and never tightened. The ISSO asks for a current-state diagram and what comes back is a Visio file from eighteen months ago. That is not a process problem. It is a documentation and hardening method problem, and this course teaches the method.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Federal contractor networks are assessed against STIG benchmarks, NIST 800-53 controls, and the network-specific requirements in the system's ATO package. The assessor does not care that the topology changed three times this quarter. They check the artefacts: the current network diagram, the device configuration baselines, the access-control list review log, the change records. When the artefacts are incomplete or inconsistent with what is on the wire, findings get written. CAT II findings delay the ATO. CAT I findings stop it. The technician who owns the LAN segment is the person best positioned to prevent this, because they are the person who touches the configs. But most LAN technicians were never taught how to build compliance-grade documentation as part of their daily work. They were taught to make the network work. This course teaches the compliance layer on top of the technical layer.

What you walk away with

  • Produce a current-state network topology diagram that meets the documentation standard an ISSO or assessor expects to see.
  • Build and maintain device configuration baselines for switches and routers that survive a STIG CAT II finding review.
  • Write access-control lists and VLAN segmentation policies that align with zero-trust network principles and RMF boundary requirements.
  • Create a change log and configuration audit trail that demonstrates continuous compliance between formal assessments.
  • Translate a STIG checklist finding into a remediation artefact your security officer can close without additional explanation.
  • Hand off a complete network compliance package to a new technician or auditor without a verbal walkthrough.

The 12 modules

Module 1. What the Assessor Actually Checks
Most STIG findings at the network layer come from documentation gaps, not technical failures. This module maps the specific artefacts a federal assessor checks during a network-layer STIG review: current topology diagrams, device configuration exports, ACL documentation, and change records. You will learn exactly what 'compliant documentation' means in practice and why the gap between a working network and a documented network is where CAT II findings are written.
Module 2. Building a Topology Map That Survives Scrutiny
A Visio file from last year is not a current-state diagram. This module teaches how to build and maintain a topology map at the fidelity level an ISSO and assessor require: interface-level detail, VLAN boundaries, trust zone demarcation, and external connection points documented to match the ATO boundary. Includes a downloadable template aligned to RMF documentation standards, and a process for updating the diagram within a defined window after any config change.
Module 3. Device Configuration Baselines for Cisco and Similar Platforms
A configuration baseline is not just a backup. It is the comparison document that proves your device matches the approved hardened state. This module walks through how to build a baseline config file for each device class in your environment, how to document approved deviations, and how to use a diff review to surface non-compliant changes before an assessor finds them. Covers Cisco IOS and IOS-XE as the reference platform, with the method transferable to other vendors.
Module 4. VLAN Segmentation and Zero-Trust Boundary Enforcement
Zero-trust network architecture at the LAN level means no implicit trust between segments, even inside the same physical environment. This module covers how to design and document VLAN segmentation that satisfies both the operational requirement and the RMF boundary control. You will build inter-VLAN routing policies that restrict lateral movement, document the trust zone boundaries your ISSO needs for the SSP, and produce the access-control list that enforces each boundary at the port level.
Module 5. Access-Control List Hardening and Documentation
ACLs copied from prior deployments carry the risk of the prior deployment. This module teaches how to audit an existing ACL set against the current topology and the system's approved data flows, how to document each rule with a business justification, and how to build a review log that demonstrates the ACL is actively maintained. Special focus on the STIG ACL checks that most frequently produce findings: implicit deny, any-any rules, and undocumented management access entries.
Module 6. Switch Port Security and 802.1X Configuration
Port security controls are a common STIG requirement and a common finding. This module covers how to configure and document 802.1X authentication, MAC address filtering, and port shutdown policies for unused ports. You will produce the configuration documentation and the operational runbook your ISSO needs to demonstrate the control is in place and the exception process is defined. Covers both the technical implementation and the artefact that proves the implementation to an auditor.
Module 7. Change Management as a Compliance Artefact
Every config change that is not logged is a potential finding. This module builds a change management process that fits a federal contractor LAN environment: fast enough for operations, documented enough to satisfy a CM control audit. You will design a change log template, a pre-change and post-change verification checklist, and a rollback procedure that doubles as compliance evidence. The output is a log the security officer can hand to an auditor without a supplementary briefing.
Module 8. Translating STIG Findings into Remediation Artefacts
When an assessor writes a CAT II finding, the response is not just a config fix. It is a documented remediation artefact: what was found, what was changed, what the new state is, and who verified it. This module teaches the exact format federal STIG remediation artefacts take, how to write a Plan of Action and Milestones entry for a network finding, and how to produce a verification screenshot or config export that closes the finding without a re-assessment visit.
Module 9. Network Boundary Documentation for the SSP
The System Security Plan describes the network boundary that the ATO covers. The LAN technician is often the person with the most accurate picture of what that boundary actually looks like. This module explains how to contribute to the SSP network section: how to describe your boundary in the language an authorizing official understands, how to document interconnections and data flows, and how to flag changes that require a significant change review before they go live.
Module 10. Continuous Monitoring at the Network Layer
An ATO does not end at authorization. Continuous monitoring means your network remains compliant between formal assessments. This module covers how to build a lightweight continuous monitoring practice for the LAN layer: a monthly config review against the baseline, a quarterly ACL audit, and a log review process that surfaces anomalies before they become findings. Output is a monitoring calendar and checklist your team can run without a dedicated security engineer present.
Module 11. Incident Response Documentation for Network Events
When a network event triggers a security incident, the first question the ISSO asks is: what changed, when, and who authorized it. This module builds the documentation habit that makes that question answerable. You will create a network incident log template, a communication chain for notifying the security officer, and a post-incident config review process that produces evidence your team responded appropriately. Covers the specific RMF incident response controls that touch network configuration management.
Module 12. Handing Off a Compliance-Grade Network Package
When you rotate off a program or bring on a new technician, the network needs to transfer without losing its compliance state. This module builds the handoff package: a current topology diagram, a device baseline set, an ACL audit record, a change log, and a compliance status summary the incoming technician and the ISSO can read without a briefing. You will finish the course with a template you can fill once and reuse across every LAN environment you manage.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Preparing for an upcoming STIG assessment or ATO renewal and your documentation is not current-state.
A recent config change created a discrepancy between the topology map and what is on the wire.
Your ISSO has asked for network documentation you do not yet have in the required format.
You are the new technician on a program and the previous technician's documentation is incomplete or outdated.

What you get with this course

  • 12 written modules in the Art of Service learning environment, each covering one documentation or hardening artefact with worked examples.
  • Downloadable templates for every module: topology map format, device baseline template, ACL audit log, change log, STIG remediation artefact, handoff package.
  • The hand-built implementation playbook: a step-by-step sequence for applying each module's method to your current LAN environment, written for your specific role and context.
  • Access within 24 hours of purchase.

What you will have in hand by Day 1, Week 1, Month 1

Access to all 12 modules and downloadable templates within 24 hours of purchase.

The hand-built implementation playbook, written for your specific role and network context, delivered alongside course access.

Before and after

Before

Your network works. Your documentation is scattered across a shared drive, partially outdated, and not in the format your ISSO or assessor expects. Each assessment cycle involves a scramble to reconstruct what the current state actually is.

After

Your network works and your documentation is current, formatted to standard, and ready to hand to an assessor or a new technician without a verbal walkthrough. Config changes are logged as they happen. Findings close cleanly.

What happens if you do not address this

The next STIG assessment will find the gap between your running config and your documented config. CAT II findings require a Plan of Action and Milestones response. CAT I findings delay or stop the ATO. The cost of a clean documentation habit is one week of focused work. The cost of an undocumented network at assessment time is measured in program-level delay.

Who it is for

You are a LAN technician at a federal contractor or government agency. You manage switches, routers, VLANs, and access control lists. You work inside a classified or controlled unclassified environment, or you support one from the contractor side. Your network is subject to periodic STIG assessments, RMF reviews, or ATO renewals. You have technical ability. What you need is the compliance documentation method that makes your technical work visible and auditable.

Who this is NOT for. Network administrators at commercial enterprises with no federal compliance requirement. Security architects who work at the design layer without touching device configurations. IT managers who do not personally manage network equipment.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Most technicians complete the course in two to three focused sessions. The implementation playbook is designed to be applied to your current environment over the following two to four weeks.

Why $199 is the right number

STIG checklists tell you what to check. They do not teach you how to build the documentation artefacts that close findings and keep them closed. Vendor training covers device configuration but not the compliance documentation layer that federal environments require. This course fills the gap between technical skill and compliance-grade evidence production.

FAQ

Does this course cover a specific networking vendor?
Cisco IOS and IOS-XE are used as the reference platform throughout, because they are the most common in federal contractor environments. The documentation method and the compliance artefact templates transfer directly to other vendors.
Do I need a security clearance or specific certification to take this course?
No. The course is designed for technicians working in or supporting federal contractor environments. It assumes technical familiarity with LAN equipment and basic STIG awareness, not a specific certification level.
What if my program uses a different compliance framework than STIG?
The documentation methods and artefact formats in this course align with NIST 800-53 controls and RMF requirements, which underpin STIG, FedRAMP, and most federal ATO frameworks. The method transfers across frameworks.
How does the implementation playbook work?
The playbook is built for your role: LAN technician in a federal or contractor environment. It sequences the course methods into a practical application order, with specific steps for your current topology and compliance situation. It is delivered alongside course access, not as a separate purchase.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.