HFI
HARVEST & FORT
INDUSTRIES

GRC Practitioner Training

Train as a practitioner,
not a test-taker.

A seven-week cohort program that walks operators through a full Risk Management Framework cycle (from categorization to continuous monitoring) using the artifacts, controls, and decisions that federal GRC work actually requires.

Enroll in the Next CohortGet Cohort Updates

No prior federal experience required · Next cohort May & June 2026

7 Weeks

RMF cycle, end to end

Practitioner-Led

13+ years federal experience

Real Artifacts

Not lecture videos

Career Outcomes

Operator-level skills

What You Learn To Do

The Risk Management Framework, end to end.

Each step is taught through a working system: categorized, controlled, implemented, assessed, authorized, and monitored over the seven weeks.

01

Categorize

Define system impact and risk profile against NIST SP 800-60 and FIPS 199.

02

Select

Tailor controls from NIST SP 800-53 to the system, mission, and risk tolerance.

03

Implement

Deploy and document controls in language an assessor (and an auditor) can read.

04

Assess

Examine, interview, and test against the documented implementation.

05

Authorize

Build the package an AO can sign: risk-based, evidence-backed, defensible.

06

Monitor

Establish continuous monitoring that feeds the next cycle and survives turnover.

Cohort practitioners working through control documentation

How The Program Works

Stay for the cohort.
Operate with the system.

Most training programs hand you slides and call it a course. The GRC Practitioner Program is structured as a working environment — the same playbooks, control libraries, and artifacts a practitioner uses on a real engagement. The cohort gets you started. The system keeps you sharp after you finish.

  • Weekly live sessions led by federal GRC practitioners
  • Graded assignments mapped to NIST SP 800-37 / 800-53
  • A capstone authorization package you can speak to in interviews
  • Ongoing access to the practitioner library after the cohort closes

The Curriculum

Seven weeks. One full RMF cycle.

Each week builds on the last. By the time you finish the capstone, you have done the work. Not just studied it.

Week 1

Foundation

Introduction to GRC & the RMF

Federal context, key authorities, and how the RMF fits into agency operations.

Week 2

Foundation

Categorize & Select Controls

Walk a real system through categorization and control selection using 800-60 and 800-53.

Week 3

Build

Implement, Part I

Translate selected controls into implementation statements that hold up under review.

Week 4

Build

Implement, Part II

Evidence, artifacts, and the documentation discipline that makes assessment possible.

Week 5

Verify

Assess Controls

Conduct examinations, interviews, and tests; write findings that survive scrutiny.

Week 6

Verify

Assessment in Practice

Plans of action, milestones, and the realities of working with assessors and AOs.

Week 7

Decide

Authorize the System: Capstone

Assemble and defend a complete authorization package. Present to a panel of practitioners.

Outcomes

What you walk away with.

The program is built to leave practitioners with artifacts, reasoning, and a network: the same things a hiring manager or contracting officer looks for in a credible operator.

A defended authorization package

A complete RMF capstone (categorization, controls, evidence, assessment, and ATO memo) that you have presented and defended.

A working artifact portfolio

System security plans, control implementation statements, POA&Ms, and assessment reports you can point to in interviews.

Practitioner-grade reasoning

The ability to reason from NIST SP 800-37 and 800-53 (not memorize them) when a system, a control, or an AO question lands on your desk.

A clear career direction

Interview preparation, role mapping, and a sharper sense of where in federal GRC your background fits best.

A practitioner network

Direct access to cohort peers and HFI alumni who are operating in federal GRC roles right now.

Continuing access

Ongoing access to the Work OS (playbooks, control libraries, and scenarios) long after the cohort ends.

Who This Is For

Built for people ready to do the work.

The program is designed for practitioners at different points in their federal GRC career: entering, transitioning, or sharpening.

Career switchers

Professionals moving into federal GRC who need a credible, structured entry path.

Recently transitioned

Operators between roles who want structure, momentum, and current artifacts to point to.

Early-career analysts

GRC analysts who want to stop guessing and start reasoning from the framework itself.

Independent practitioners

Solo operators who need a reliable workflow, templates, and a peer network to run with.

Senior practitioners

Experienced GRC professionals refreshing the framework and sharpening current practice.

Practitioner-Led

Built and taught by federal GRC operators.

This is not a course assembled from public material. The curriculum is shaped by the same practitioners who run HFI's federal engagements.

HFI
Lead Instructor

Bruce Fort

Defense Logistics, GRC Workforce & Mission Support Leader

Bruce has been training GRC practitioners since 2014, predating HFI’s 2024 founding by a decade. He’s worked with people across federal agencies, defense primes, and emerging GRC professionals transitioning from IT operations, military service, audit, security operations, and adjacent fields. The HFI GRC Practitioner Program is the structured version of the work he’s been doing as an embedded mentor for years.

Read what past students are doing now

Credentials

Secret Clearance

Security+

Bruce is a senior practitioner translating federal compliance requirements into operational systems, workforce pipelines, and mission-support programs that hold up under scrutiny.

The Practitioner Program is built on the same playbooks and control libraries he uses on live federal engagements. Not a generalized curriculum, and not a repackaged exam guide.

Meet the FoundersHFI Federal Track Record

Three Ways To Engage

Self-serve, join a cohort, or train your team.

All three options are built on the same operating system. The cohort adds live instruction and a capstone. Staff training is scoped to your team.

Practitioner Work OS

Self-serve, quarterly

$99/ quarter

Billed every three months. Cancel anytime.

Full access to the playbooks, control libraries, evidence templates, scenario practice, and interview library.

  • Full Work OS access
  • Control & evidence libraries
  • Scenario practice
  • Interview preparation library
Start the Subscription
Most Popular

Practitioner Program

Seven-week cohort + Work OS access

By application

Cohorts are kept small. Tuition shared on request.

Live cohort instruction, graded assignments, office hours, and a capstone authorization package. Includes ongoing Work OS access.

  • Everything in Work OS
  • Live weekly sessions with practitioners
  • Graded assignments and feedback
  • Capstone authorization project
  • 1:1 interview prep and coaching
  • Alumni and practitioner network

Staff Training

For teams and organizations

Custom proposal

Scoped to your team, mission, and timeline.

Practitioner-led GRC training engagements built for federal contractors and mission-driven organizations, delivered on-site, virtually, or hybrid.

  • Custom curriculum mapped to your environment
  • On-site, virtual, or hybrid delivery
  • Cohort sizes from 5 to 50+
  • Role-specific tracks (analyst, lead, AO)
  • Optional capstone tied to a real system

Compare The Options

What you get, side by side.

Feature
Work OS
Practitioner Program
Staff Training
Playbooks & templates
Included
Included
Included
Control libraries & references
Included
Included
Included
Scenario practice
Self-paced
Guided, weekly
Custom
Live weekly sessions
Included
Custom schedule
Office hours with practitioners
Included
Included
Graded assignments & feedback
Included
Custom
Capstone authorization project
Included
Optional
Interview prep & coaching
Library access
1:1 coaching
Alumni & practitioner network
Ongoing
Delivery
Self-serve
Cohort
On-site or virtual
Billing
$99 / quarter
By application
Custom proposal

Questions, Answered

Frequently asked.

The questions practitioners ask most often before applying. If yours is not here, send it to the training team.

Who is the program designed for?

Career switchers, recently transitioned operators, early-career GRC analysts, independent practitioners, and senior practitioners refreshing the framework. The work is calibrated for adult learners who want to do federal GRC work, not pass a test about it.

Do I need prior federal or GRC experience?

No prior federal experience is required. Cohort members come from a mix of backgrounds: IT, audit, military, project management, and adjacent fields. The first week grounds everyone in the framework before the build phase begins.

How much time per week should I expect to commit?

Plan for one live session per week plus six to eight hours of independent work on assignments, control implementation, and evidence. The capstone week is heavier as you assemble and defend your authorization package.

What is the tuition for the Practitioner Program?

Tuition is shared on request along with cohort dates, payment plan options, and any available sponsorships. Submit the inquiry form and a member of the HFI training team will follow up within two business days.

Does the program align with DoD 8140 or count toward CEUs?

The curriculum maps to NIST SP 800-37 and 800-53 and reinforces the body of knowledge behind common workforce frameworks. We are happy to provide a learning hours letter for CEU submission to ISC2, ISACA, and similar bodies on request.

What is the refund policy?

Full refunds are available before the start of Week 1. After the program begins, refunds are pro-rated through Week 2 and not offered after Week 3. Specifics are included in the program agreement shared during the inquiry process.

Can my employer sponsor my enrollment?

Yes. Many cohort members enroll through employer sponsorship, training stipends, or GI Bill / Veteran Education benefits. We provide invoicing, W-9s, and any documentation your organization or program requires.

Have another question? Reach the training team.

The Workspace

Step into a real practitioner workspace.

Each cohort member is dropped into a working environment modeled after a senior GRC analyst leading a SOC 2 readiness engagement — with control libraries, evidence workpapers, audit-trail documentation, and the playbooks a practitioner actually opens during an engagement.

  • Live control library mapped to NIST frameworks
  • Evidence workpapers with full audit trail
  • Playbooks for the engagements you will run
Request a Workspace Demo

Workspace / soc-2-readiness

On Track

SOC 2 Readiness

12 controls in flight

CC6.1

Logical access controls

Evidence ready

CC7.2

System monitoring

In review

CC1.4

Background checks

Drafting
Live Preview4 of 12 complete

Apply to the next Practitioner cohort.

Cohorts are kept small so each practitioner gets attention, feedback, and a capstone they can defend.

Apply to the ProgramStart with Work OS

Ready to Strengthen Your Compliance,
Governance, or Workforce Strategy?

SCHEDULE A CONSULTATIONREQUEST CAPABILITIES STATEMENT