Level 5 CMMC - CMMC Practices

AT.2.057  

Reference: CMMC 1.02

Family: AT

Level Introduced: 2

Practice:
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

CMMC Clarification:
Training imparts skills and knowledge. It enables staff to perform a specific resilience function. Training programs identify cybersecurity skill gaps within your organization. Then, the programs train users on their specific cybersecurity roles and responsibilities.

There is an important distinction between awareness training and role-based training. Awareness training provides general security training to influence user behavior. Role- based training focuses on the knowledge, skills, and abilities needed to complete a specific job.

Example
Your company upgraded the firewall to a newer, more advanced system. Your company identified you as an employee who needs training on the device. This will enable you to use it effectively. Your company considered this when it planned for the upgrade. It made training funds available as part of the upgrade project.

3.2.2

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

Discussion:
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties.

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.

[SP 800-181] provides guidance on role-based information security training in the workplace. [SP 800-161] provides guidance on supply chain risk management.

Source: NIST Special Publication 800-171 Rev. 2

AT-2

SECURITY AWARENESS TRAINING

Description:
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
    a. As part of initial training for new users;
    b. When required by information system changes; and
    c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance:
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.

AT-3

ROLE-BASED SECURITY TRAINING

Description:
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
    a. Before authorizing access to the information system or performing assigned duties;
    b. When required by information system changes; and
    c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance:
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02