Demand for graduates with cybersecurity skills continues to increase. Many universities have developed or are in the process of developing new courses or degree programs to meet student demand and fill the skill gap in industry. Instructors face unique challenges when developing cybersecurity courses: While it is widely recognized that hands-on exercises are critical for helping students reach course learning objectives, legal, operational, and pedagogical challenges make it difficult to create safe, secure, and reusable exercises. The purpose of this article is to provide course designers principles for developing cybersecurity exercises in a way that maximizes student success while minimizing organizational risk. A matrix to help educators and administrators evaluate controls is provided, allowing for a clearer description of the risks eliminated, mitigated, and accepted. The principles provided in this article are based on the experience of developing a new cybersecurity degree program at a Midwestern university.