Level 5 CMMC - CMMC Practices

AT.4.060  

Reference: CMMC 1.02

Family: AT

Level Introduced: 4

Practice:
Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.

CMMC Clarification:
This practice increases the effectiveness of security awareness and training by including exercises that directly related to real-world threats. In addition, the intent of the requirement for feedback is to ensure that the organization is proactive in seeking to measure the value being achieved by these exercises.

Example
You manage cyber awareness training for the company. You have been notified by the company cybersecurity team that a well-known cyber-attack team known as “Fancy Bear” has recently gone after peer organizations. You create a well-targeted phishing attack that appears to come from an external source aimed at company employees in the software development branch. When an employee clicks on a “bad” link, a notice is sent by the receiving server to corporate security and a message is automatically generated once the exercise ends to notify the employee that they should not have clicked the link and providing the clues that would have allowed them to identify the phishing attack.

In an effort to “raise their game” in the speed and relevance of their phishing prevention program, you work with the IT branch to create a process that takes actual “same day” phishing attacks that were identified by email defenses. The first step is to neutralize the emails by replacing attachments with corporate “Trojan horse” files and external links with a corporate phishing remote server link. Then the neutered but authentic phishing attack email is sent to the previous set of corporate addresses. Doing this allows you to train staff against actual threats at a faster pace and saves on the overhead of creating a realistic- looking phishing message.

3.2.2e

Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.

Discussion:
Awareness training is most effective when it is complemented by practical exercisestailored to the tactics, techniques, and procedures (TTP) of the threat. Examples of practical exercises include no587 notice social engineering attempts to gain unauthorized access, collect information, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to reinforce desired user behavior. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. It is important that senior management are made aware of such situations so that they can take appropriate remediating actions.

[SP 800-181] provides guidance on role-based security training, including a lexicon and taxonomy that describes cybersecurity work via work roles.

Source: NIST Special Publication 800-172 (Draft)

AT-2 (1)

SECURITY AWARENESS | PRACTICAL EXERCISES

Description:
The organization includes practical exercises in security awareness training that simulate actual cyber attacks.

Supplemental Guidance:
Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Related controls: CA-2, CA-7, CP-4, IR-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02