AT.2.056 Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

CMMC Practice AT.2.056: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Awareness training focuses user attention on security. You can use several techniques to do this:

  • instructor or online training;
  • security awareness campaigns; and
  • posters and email advisories and notices to employees.

There is an important distinction between awareness training and role-based training. Awareness training provides general security training to influence user behavior. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job.