CMMC Requirement AT.L3-3.2.1E – Advanced Threat Awareness: Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
Links to Publicly Available Resources
Guide from Carnegie Mellon University on how to build and implement a cybersecurity awareness program. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3. CISA guidance for recognizing common social engineering and phishing attacks. A course to provide an overview of current cybersecurity threats and best practices to keep information and information systems secure at home and at work. This training also reinforces best practices to protect classified, controlled unclassified information (CUI), and personally identifiable information (PII). Outline of the major topics to cover in a cybersecurity awareness program and how they benefit the company. KnowBe4 is a large security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. This publication provides guidance for federal agencies and organizations to develop and manage a life cycle approach to building a Cybersecurity and Privacy Learning Program (CPLP).
An effective method to detect APT activities and reduce the effectiveness of those activities is to provide specific awareness training for individuals. A well-trained and security-aware workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code injections via email or web applications. Threat awareness training includes educating individuals on the various ways that APTs can infiltrate organizations, including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in non-secure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving.
[NIST SP 800-50] provides guidance on security awareness and training programs.
Further Discussion
All organizations, regardless of size, should have a cyber training program that helps employees understand threats they will face on a daily basis. This training must include knowledge about APT actors, breaches, and suspicious behaviors.