This article is the fifth in a 15-part blog series discussing each domain in Cybersecurity Maturity Model Certification (CMMC). In addition, this blog will explore the CMMC domain, Awareness, and Training (AT).
The Awareness and Training (AT) domain defines security awareness requirements among your organization's employees. In addition, this domain includes security practices that define the need to train your personnel to be prepared against risks and threats to your organization.
We will be exploring Awareness and Training in the following manner:
In the Awareness and Training domain, there will be a focus on role-based risk awareness, role-based training, and insider-threat awareness. Each of these will delve deep into the importance of all personnel and users within your organization being aware and how they must act to be safe.
Let's go ahead and discuss and break down the practices within the AT Domain:
The entire focus of this requirement is role-based awareness. Each employee within your organization has duties to fulfil, and certain employees have greater access to your information system than others (as their role requires). Therefore, understanding the risk of being compromised and being aware and vigilant is important for each employee, regardless of their role.
From managers to system administrators, all the way to new hires, users of your organizational systems need to be aware of risks associated with any of their actions, particularly concerning your organization's security.
Your organization can determine the content you give to your employees and the frequency, but it should be your goal to give all employees some basic form of awareness training. NIST SP 800-50 provides guidance on security awareness and training programs.
This requirement is an extension of the previous requirement, as, alongside awareness, you must also train your employees. Your organization needs to ensure that employees in information security. This training can include policies, procedures, tools, and artifacts for roles within your organization. Your organization's training should address management, operational, and technical roles and cover physical, personnel-related, and technical responsibilities. As a place to start, NIST SP 800-181 provides specifics on role-based security training, and it will give you better insight into how you should approach role-based training.
Insider Threats are often overlooked in an organization, but it is as crucial as recognizing external threats. Part of the security awareness training you provide needs to include recognizing and being able to report potential insider threats. Your employees should be able to communicate potential threats through organization-provided channels. You can also establish role-based insider threat awareness, as some employees need to be more vigilant than others. It is important to note that your organization does not need to provide separate training for this topic. Your standard awareness training curriculum can include Insider Threat Awareness.
This domain covers role-based risk awareness, training, and insider threat awareness. Each topic has one core focus: training your employees to be more aware. You can implement various security measures for your system, but you must also educate your employees on safe security practices and the risks to which they can be exposed.
For CMMC 2.0, there are no Level 1 practices for the Awareness and Training domain. So, for CMMC Level 1, your organization will not have to do anything for this domain. Although, it is good to have at least a basic security awareness program to protect your organization from cyber threats.
For CMMC Level 2, your organization will have to look further into the practices required and provide proper implementation and documentation. There are three practices for Level 2.
Here are some suggestions on what to include for audit or look for within your organization to comply with all the practices under Awareness and Training domain:
For CMMC Level 3, the AT practices are yet to be determined.