CMMC Training for Defense Contractors!

AT.L3-3.2.1e

Requirement

Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

Discussion

An effective method to detect APT activities and reduce the effectiveness of those activities is to provide specific awareness training for individuals. A well-trained and security-aware workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code injections via email or web applications. Threat awareness training includes educating individuals on the various ways that APTs can infiltrate organizations, including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in non-secure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving.

[NIST SP 800-50] provides guidance on security awareness and training programs.

More Info

Title

Advanced Threat Awareness
Domain

Awareness and Training
CMMC Level

3

Related NIST 800-171 ID
- 3.2.1
Related NIST 800-172 ID

3.2.1e
Reference Documents
- NIST SP 800-172
- NIST SP 800-50

Further Discussion
All organizations, regardless of size, should have a cyber training program that helps employees understand threats they will face on a daily basis. This training must include knowledge about APT actors, breaches, and suspicious behaviors.

Example

You are the cyber training coordinator for a small business with eight employees. You do not have your own in-house cyber training program. Instead, you use a third-party company to provide cyber training. New hires take the course when they start, and all current staff members receive refresher training at least once a year [b]. When significant changes to the threat landscape take place, the company contacts you and informs you that an update to the training has been completed [c,d] and everyone will need to receive training [b]. You keep a log of all employees who have gone through the cyber training program and the dates of training.

Potential Assessment Considerations
- Does the organization have evidence that employees participate in cyber awareness training at initial hire and at least annually thereafter or when there have been significant changes to the threat [b]?

NIST 800-172A Assessment Guidance

Examine

[SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; training records; other relevant documents or records].
Interview

[SELECT FROM: Personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel composing the general system user community].
Test

[SELECT FROM: Mechanisms managing security awareness training; mechanisms managing role-based security training].

ID	Determination Statements
3.2.1e_ODP[1]	The frequency of providing awareness training is defined.
3.2.1e_ODP[2]	The frequency of updating awareness training is defined.
3.2.1e[a]	Threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors are identified.
3.2.1e[b]	Awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors is provided <3.2.1e_ODP[1]: frequency>.
3.2.1e[c]	Significant changes to the threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors are identified.
3.2.1e[d]	Awareness training is updated <3.2.1e_ODP[2]: frequency> or when there are significant changes to the threat.

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!