CMMC Practice AT.L2-3.2.1 – Role-Based Risk Awareness: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This security training from the HHS is an example of requirements and guidance to provide appropriate role-based security training. The purpose of this example procedure from the EPA is to help with implementing the security control requirements for the Awareness and Training (AT) control family. KnowBe4 is a large security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. This NIST Special Publication provides guidance for building an effective security program. Proofpoint Security Awareness Training is offering a free Phishing Awareness Kit. This kit gives you the tools you need to engage your users and turn them into a strong line of defense against phishing attacks and other cyber threats. This SANS whitepaper describes how to successfully implement a comprehensive Security Training, Awareness, and Education program. This course introduces the threats and vulnerabilities faced when working within the government or defense industrial systems. The NICCS Education and Training Catalog is a central location where cybersecurity professionals across the nation can find over 3,000 cybersecurity-related courses. This document is an example of an Acceptable Use for System Administrators Policy from the University of Arizona. This resource provides general awareness and role-based information security training documents.
Discussion [NIST SP 800-171 R2]
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.
NIST SP 800-50 provides guidance on security awareness and training programs.
Further Discussion
Awareness training focuses user attention on security. Several techniques can be used, such as:
- synchronous or asynchronous training;
- simulations (e.g., simulated phishing emails);
- security awareness campaigns (posters, reminders, group discussions); and
- communicating regular email advisories and notices to employees.
Awareness training and role-based training are different. This practice, AT.L2-3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2-3.2.2.