Assessment Evaluation and Standardization Program
The role and mission of the Assessment Evaluation and Standardization (AES) program is to increase the quality and quantity of cyber professionals who can execute CISA cyber assessments.
Training assessors to conduct CISA standard Cyber Risk Assessment methodologies is a major step in setting up an ecosystem that is critical to the success of performing cyber assessments, and in providing national-level data views that drive initiatives to reduce risk.
The approach assists all .GOV and .MIL and critical Infrastructure to include SLTT, Public, and Private Organizations.
The AES program accomplishes this mission by:
- producing a federal, and private sector, workforce of prepared and qualified assessors.
- ensuring that assessors have the knowledge and skills necessary to conduct assessments according to the CISA standards and methodologies.
- confirming that assessment results are of high quality, consistent, and repeatable.
AES Program Overview
AES has created a detailed video overview of the AES program. We strongly encourage all prospective students review this video to learn more about the AES program, prerequisites, and qualification requirements.
AES Training Process
Each student in the AES program will follow the steps below based on AES role and course to become an AES qualified assessor.

AES Course Schedule
AES FY24 Training Course Schedule
Register for an AES Course
Follow the instructions below to register, enroll, and participate in an AES course.
- Log in to your Defend Cyber Moodle account.
- Open Defend Cyber Moodle and log in to your account.
- If you do not have a Defend Cyber Moodle account, follow the instructions in the AES Moodle Quick Start Guide to create your account.
- If you have a Defend Cyber Moodle account, but need to reset your password, follow the instructions in the AES Moodle Quick Start Guide to reset your password.
- Select and complete all prerequisite(s).
- Choose the prerequisite(s) for the AES course(s) you want to take.
- For students who want to participate in the RVA Operator training course, enroll in and pass the Operator Skills Test (OST). You have three attempts in 24 hours to pass the OST with a score of 70% or higher.
- For all students, enroll in and pass the Candidate Evaluation (CE) multiple choice exam. You have three attempts to pass the CE with a score of 70% or higher.
- You must complete all prerequisites at least 60 days prior to the course start date.
- AES encourages all students to complete the prerequisites and to enroll in the course as soon as possible. AES course enrollment is first come, first served.
- Enroll in your AES course(s).
- After you pass the CE and OST (if applicable), enroll in the AES course(s) in Defend Cyber Moodle.
- If your enrollment is successful, Defend Cyber Moodle will send you an enrollment confirmation email, and you will have access to course materials in Defend Cyber Moodle.
- AES encourages all students to enroll in the courses as soon as possible. AES course enrollment is first come, first served.
AES Training Courses
Cybersecurity Performance Goals (CPG) Course
Evaluates whether a minimum baseline of cybersecurity technologies and practices are implemented in Information Technology (IT) and Operational Technology (OT) environments in small- and medium-sized organizations.
Cyber Resilience Review (CRR) Course
Evaluates operational resilience and cybersecurity practices through an interview-based assessment.
By signing up for the CRR the student is registering for both the CRR and EDM courses taught in the same week
External Dependencies Management (EDM) Course
Evaluates management of external dependencies through an interview-based assessment.
By signing up for the EDM the student is registering for both the CRR and EDM courses taught in the same week.
High Value Assets (HVA) Course
Evaluates the HVA security architecture to identify potential risks from technical concerns (for non-Tier 1 HVAs only)
Risk and Vulnerability Assessment (RVA) Course
Evaluates on-site data and national threats and vulnerabilities to identify potential exploitation of network security controls
Validated Architecture Design Review (VADR) Course
Evaluates systems, networks, and security services to determine their reliability and resiliency of design, construction, and operation
Incident Management Review (IMR) Course
Evaluates the processes used to identify and analyze events, declare incidents, determine a response, and improve an organization’s incident management capability
AES Program Resources
- AES Fact Sheet
- AES Program Overview
- AES Welcome Letter
- AES Code of Ethics and Compliance
- AES Moodle Quick Start Guide
- AES Assessment Roles
- AES HVA Qualification Policy
- AES NT1 HVA Program Training and Qualification Process
- AES FY24 Training Course Schedule
Contact
To ask a question or provide other feedback on AES training, contact us at AEStraining@hq.dhs.gov