Level 5 CMMC - CMMC Practices

AT.4.059  

Reference: CMMC 1.02

Family: AT

Level Introduced: 4

Practice:
Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

CMMC Clarification:
This practice requires that awareness training specifically include tactics and indicators used by advanced cyber threat actors. The intent is to go beyond the basic cyber security awareness training elements such as password management and good cyber hygiene and to broaden awareness for more advanced attack techniques.

Example
You manage cyber awareness training for the company. You are notified by a cybersecurity team member that a well-known cyber-attack team known as Fancy Bear has recently gone after peer organizations. The team member shares that one of their most common first steps is to look up employees via publicly available information sources, such as social media and corporate connection applications, and then craft well-targeted phishing attacks against software developers that invites them to a free conference in an overseas location. You quickly create and disseminate materials to sensitize corporate software developers to email phishing attacks and provide specific information, including examples, of prior Fancy Bear phishing emails as well as “friend” and “connection” requests. You also include the updates in the standard awareness training for the entire organization.

3.2.1e

Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training [Assignment: organization-defined frequency] or when there are significant changes to the threat.

Discussion:
One of the most effective ways to detect APT activities and reduce the effectiveness of those activitiesis to provide specific awareness training for individuals. A well-trained and security-aware workforce provides another organizational safeguard that can be employed as part of a defense568 in-depth strategy to protect organizations against malicious code injections via email or web applications. Threat awareness training includes educating individuals on the various ways that APTs can infiltrate organizations, including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in non-secure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving.

[SP 800-50] provides guidance on security awareness and training programs.

Source: NIST Special Publication 800-172 (Draft)

AT-2

SECURITY AWARENESS TRAINING

Description:
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
    a. As part of initial training for new users;
    b. When required by information system changes; and
    c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance:
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02