Requirement text: AT.2.056: Ensure that managers, system administrators, and users of organizational
systems are made aware of the security risks associated with their activities and of
the applicable policies, standards, and procedures related to the security of those
systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations determine the content and frequency of security awareness training and
security awareness techniques based on the specific organizational requirements and the
systems to which personnel have authorized access. The content includes a basic
understanding of the need for information security and user actions to maintain security and
to respond to suspected security incidents. The content also addresses awareness of the
need for operations security. Security awareness techniques include: formal training;
offering supplies inscribed with security reminders; generating email advisories or notices
from organizational officials; displaying logon screen messages; displaying security
awareness posters; and conducting information security awareness events.
NIST SP 800-50 provides guidance on security awareness and training programs.
CMMC CLARIFICATION
Awareness training focuses user attention on security. You can use several techniques to do
this:
• instructor or online training;
• security awareness campaigns; and
• posters and email advisories and notices to employees.
There is an important distinction between awareness training and role-based training.
Awareness training provides general security training to influence user behavior. Role-
based training focuses on the knowledge, skills, and abilities needed to complete a specific
job.
Example
You want to provide information to employees so they can identify phishing emails. To do
this, you prepare a presentation that highlights basic traits, including:
• suspicious-looking email address or domain name;
• a message that contains an attachment or URL; and
• a message that is poorly written and often contains obvious misspelled words.
You encourage everyone to not click on attachments or links in a suspicious email. You tell
employees to forward such a message immediately to their IT security administrator. You
download free security awareness posters to hang in the office. Also, you send regular emails
and tips to all employees. This ensures that your message is not forgotten over time.
References
• NIST SP 800-171 Rev 1 3.2.1
• CIS Controls v7.1 17.3
• NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
• CERT RMM v1.2 OTA:SG1.SP1
• NIST SP 800-53 Rev 4 AT-2, AT-3