Built by someone who lived the problem
David McIltrot has spent 25 years working in and around the federal government — first as a contractor, later as a federal employee, and across nearly every role that touches information security along the way.
He entered government contracting at the end of 2001, starting with the kind of foundational work that gets underestimated: PC technician support, building an understanding of how federal systems actually work from the ground up. By 2006 he was moving into cybersecurity in earnest, and over the following two decades he would hold roles spanning system administration, incident response, vulnerability assessment and management, IT policy and planning, solutions architecture, and system ownership — on both sides of the government-contractor relationship.
He has supported some of the federal government's most consequential agencies, including the U.S. Office of Personnel Management, the U.S. Agency for International Development, and multiple Department of Defense components.
In 2015, David was working as a contractor at OPM when the breach became public — one of the most significant cybersecurity incidents in U.S. government history, affecting the personnel records of over 21 million federal employees and contractors. That experience was formative. It accelerated his transition to a federal role in 2016, where he spent years contributing to the security of multiple information systems and building out governance frameworks and enterprise architecture from the ground up.
What he kept seeing, across agencies and across programs, was a version of the same problem.
An ISSO sits down to write an implementation statement. The control language is dense, technical, and unforgiving. There is no example of what good looks like. There is no sandbox to practice in. So they guess — or they ask the system administrator, who also guesses — and what follows is a cycle of emails, clarification meetings, and rework that drags out timelines, keeps POA&Ms open longer than they should be, and extends the window during which risk is formally accepted on a system that should have been authorized months ago.
The problem isn't lack of effort. It's lack of exposure. Most ISSOs learn by doing real work on live systems, under pressure, without a safety net.
RMF Pro exists to change that.
It is the tool David wished existed when he was first navigating eMASS, writing his first implementation statements, and trying to understand what an assessor actually wanted to see. A realistic, browser-based simulation environment where practitioners can build the muscle memory before it counts — and where the feedback is immediate, specific, and grounded in the standards that real assessors apply.
David holds CompTIA Security+, Certificate of Competence in Zero Trust, and Certificate of Cloud Security Knowledge (Cloud Security Alliance). He built RMF Pro because the federal cybersecurity workforce deserves better training infrastructure than learning on the job and hoping for the best.