Awareness training focuses user attention on security. Several techniques can be used, such as:

• synchronous or asynchronous training;
• simulations (e.g., simulated phishing emails);
• security awareness campaigns (posters, reminders, group discussions); and
• communicating regular email advisories and notices to employees.

Awareness training and role-based training are different. This requirement, AT.L2-3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2-3.2.2.

Example

Your organization holds a DoD contract which requires the use of CUI. You want to provide information to employees so they can identify phishing emails. To do this, you prepare a presentation that highlights basic traits, including:

• suspicious-looking email address or domain name;
• a message that contains an attachment or URL; and
• a message that is poorly written and often contains obvious misspelled words.

You encourage everyone to not click on attachments or links in a suspicious email [c]. You tell employees to forward such a message immediately to IT security [d]. You download free security awareness posters to hang in the office [c,d]. You send regular emails and tips to all employees to ensure your message is not forgotten over time [c,d].

Potential Assessment Considerations

• Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]?
• Do training materials identify the organization-defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?