• Requirement

    Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.

  • Discussion

    Awareness training is most effective when it is complemented by practical exercises tailored to the tactics, techniques, and procedures (TTP) of the threat. Examples of practical exercises include unannounced social engineering attempts to gain unauthorized access, collect information, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to reinforce desired user behavior. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. It is important that senior management are made aware of such situations so that they can take appropriate remediating actions.

    [NIST SP 800-181] provides guidance on role-based security training, including a lexicon and taxonomy that describes cybersecurity work via work roles.

More Info

  • Title

    Practical Training Exercises
  • Domain

    Awareness and Training
  • CMMC Level

  • Further Discussion

    This requirement can be performed by the organization or by a third-party company. Training exercises (including unannounced exercises, such as phishing training) should be performed at various times throughout the year to encourage employee readiness. After each exercise session has been completed, the results should be recorded (date, time, what and who the training tested, and the percent of successful and unsuccessful responses). The purpose of training is to help employees in all roles act appropriately for any given training situation, which should reflect real-life scenarios. Collected results will help identify shortcomings in the cyber training and/or whether additional instructional training may be needed.

    General exercises can be included for all users, but exercises tailored for specific roles are important, too. Training tailored for specific roles helps make sure individuals are ready for actions and events specific to their positions in a company. Privileged users receive training that emphasizes what permissions their privileged account has in a given environment and what extra care is required when using their privileged account.


    You are the cyber training coordinator for a medium-sized business. You and a coworker have developed a specialized awareness training to increase cybersecurity awareness around your organization. Your training includes social media campaigns, social engineering phone calls, and phishing emails with disguised links to staff to train them beyond the standard cybersecurity training [a,b].

    To send simulated phishing emails to staff, you subscribe to a third-party service that specializes in this area [a]. The service sets up fictitious websites with disguised links to help train general staff against this TTP used by APTs [d]. The third-party company tracks the individuals who were sent phishing emails and whether they click on any of the of the links within the emails. After the training action is completed, you receive a report from the third-party company. The results show that 20% of the staff clicked on one or more phishing email links, demonstrating a significant risk to your company. As the cyber training coordinator, you notify the individuals, informing them they failed the training and identifying the area(s) of concern [e]. You send an email to the supervisors informing them who in their organization has received training. You also send an email out to the entire company explaining the training that just took place and the overall results [e].

    Potential Assessment Considerations

    • Are the individuals being trained and the results recorded [e]?
    • Are the training exercises performed [c]?
    • Are the exercises set up for all users? Are there tailored exercises based on roles within the organization (general users, users with specialized roles, and privileged users) [d]?
    • Does the organization have documentation recording the training exercises, who participated, and feedback provided to those who participated in a training session [c,e]?

NIST 800-172A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!