Run a system through the full Risk Management Framework
Take an information system from categorization through control selection, implementation, assessment, authorization, and continuous monitoring.
Learn how governance, risk management, and security controls work together across enterprise and regulated environments.

Every regulated organization — federal agencies, banks, hospitals, insurers, cloud providers — runs on the same backbone: governance, risk, and compliance. CGRC is the ISC2 credential that proves you can authorize systems, manage risk, and operate inside frameworks like NIST RMF.
It's the certification that opens doors into federal contracting, FedRAMP, HIPAA, and enterprise security program roles.
This course is a good fit if you are:
When you finish this course, you won't just be able to recite a framework — you'll be able to contribute to real governance work. Specifically, you'll be able to:
Take an information system from categorization through control selection, implementation, assessment, authorization, and continuous monitoring.
Assemble the System Security Plan, risk assessment, security assessment report, and POA&M that an Authorizing Official needs to make a risk-based decision.
Plan and execute control assessments, gather evidence, document findings, and recommend corrective actions.
Take FISMA, FedRAMP, HIPAA, PCI, or internal policy requirements and turn them into controls, evidence, and monitoring routines the business can actually run.
Speak the same language as auditors, ISSOs, ISSMs, AOs, and program management offices, and contribute to enterprise risk decisions.
These are the kinds of situations graduates step into on the job — not theoretical exercises.
You don't need to work for an AI or tech company. Organizations across nearly every industry are implementing governance programs and need professionals who can support them.
Regulated organizations cannot operate without people who understand how governance, risk, and compliance intersect. CGRC-credentialed professionals are the connective tissue between security engineering, executive risk decisions, and the auditors and regulators who hold organizations accountable.
Compensation varies based on location, experience, industry, employer, and existing credentials. CACE does not guarantee employment, promotion, or salary outcomes.
ISC2 CGRC
Upon passing the exam and meeting ISC2's experience requirements (or earning Associate of ISC2 status), you receive the official ISC2 CGRC credential.
There are no prerequisites to attend the course. While professional experience is recommended before pursuing the full CGRC certification, anyone can take the training and sit for the exam if they meet ISC2's eligibility requirements.
No. This program is designed for professionals from business, legal, audit, risk, compliance, and security backgrounds. Technical experience is helpful but not required.
Develop the governance, risk, and compliance skills used across enterprise security programs.
Share your details and a member of our team will follow up with cohort dates, tuition, and enrollment guidance.
Not sure which program fits? Chat live with Avery, our enrollment advisor, for a quick consult on certifications, cohorts, payment plans, and group pricing.