Level 5 CMMC - CMMC Practices

AT.2.056  

Reference: CMMC 1.02

Family: AT

Level Introduced: 2

Practice:
Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

CMMC Clarification:
Awareness training focuses user attention on security. You can use several techniques to do this:
• instructor or online training;
• security awareness campaigns; and
• posters and email advisories and notices to employees.
There is an important distinction between awareness training and role-based training. Awareness training provides general security training to influence user behavior. Role- based training focuses on the knowledge, skills, and abilities needed to complete a specific job.

Example
You want to provide information to employees so they can identify phishing emails. To do this, you prepare a presentation that highlights basic traits, including:
• suspicious-looking email address or domain name;
• a message that contains an attachment or URL; and
• a message that is poorly written and often contains obvious misspelled words.
You encourage everyone to not click on attachments or links in a suspicious email. You tell employees to forward such a message immediately to their IT security administrator. You download free security awareness posters to hang in the office. Also, you send regular emails and tips to all employees. This ensures that your message is not forgotten over time.

3.2.1

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

Discussion:
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.

[SP 800-50] provides guidance on security awareness and training programs.

Source: NIST Special Publication 800-171 Rev. 2

AT-2

SECURITY AWARENESS TRAINING

Description:
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
    a. As part of initial training for new users;
    b. When required by information system changes; and
    c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance:
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.

AT-3

ROLE-BASED SECURITY TRAINING

Description:
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
    a. Before authorizing access to the information system or performing assigned duties;
    b. When required by information system changes; and
    c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance:
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02