CMMC Requirement AT.L3-3.2.2E – Practical Training Exercises: Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
Links to Publicly Available Resources – Coming Soon
This publication from the National Initiative for Cybersecurity Education (NICE) describes the Workforce Framework for Cybersecurity (NICE Framework), a fundamental reference for describing and sharing information about cybersecurity work.
Awareness training is most effective when it is complemented by practical exercises tailored to the tactics, techniques, and procedures (TTP) of the threat. Examples of practical exercises include unannounced social engineering attempts to gain unauthorized access, collect information, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to reinforce desired user behavior. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. It is important that senior management are made aware of such situations so that they can take appropriate remediating actions.
[NIST SP 800-181] provides guidance on role-based security training, including a lexicon and taxonomy that describes cybersecurity work via work roles.
Further Discussion
This requirement can be performed by the organization or by a third-party company. Training exercises (including unannounced exercises, such as phishing training) should be performed at various times throughout the year to encourage employee readiness. After each exercise session has been completed, the results should be recorded (date, time, what and who the training tested, and the percent of successful and unsuccessful responses). The purpose of training is to help employees in all roles act appropriately for any given training situation, which should reflect real-life scenarios. Collected results will help identify shortcomings in the cyber training and/or whether additional instructional training may be needed.
General exercises can be included for all users, but exercises tailored for specific roles are important, too. Training tailored for specific roles helps make sure individuals are ready for actions and events specific to their positions in a company. Privileged users receive training that emphasizes what permissions their privileged account has in a given environment and what extra care is required when using their privileged account.