Requirement text: AT.4.059: Provide awareness training focused on recognizing and responding to
threats from social engineering, advanced persistent threat actors, breaches, and
suspicious behaviors; update the training at least annually or when there are
significant changes to the threat.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
One of the most effective ways to detect APT activities and to reduce the effectiveness of
those activities is to provide specific awareness training for individuals. A well-trained and
security aware workforce provides another organizational safeguard that can be employed
as part of a defense- in-depth strategy to protect organizations against malicious code
injections via email or the web applications. Threat awareness training includes educating
individuals on the various ways APTs can infiltrate into organizations including through
websites, emails, advertisement pop-ups, articles, and social engineering. Training can
include techniques for recognizing suspicious emails, the use of removable systems in non-
secure settings, and the potential targeting of individuals by adversaries outside the
workplace. Awareness training is assessed and updated periodically to ensure that the
training is relevant and effective, particularly with respect to the threat since it is constantly,
and often rapidly, evolving.
CMMC CLARIFICATION
This practice requires that awareness training specifically include tactics and indicators used
by advanced cyber threat actors. The intent is to go beyond the basic cyber security
awareness training elements such as password management and good cyber hygiene and to
broaden awareness for more advanced attack techniques.
Example
You manage cyber awareness training for the company. You are notified by a cybersecurity
team member that a well-known cyber-attack team known as Fancy Bear has recently gone
after peer organizations. The team member shares that one of their most common first steps
is to look up employees via publicly available information sources, such as social media and
corporate connection applications, and then craft well-targeted phishing attacks against
software developers that invites them to a free conference in an overseas location. You
quickly create and disseminate materials to sensitize corporate software developers to email
phishing attacks and provide specific information, including examples, of prior Fancy Bear
phishing emails as well as “friend” and “connection” requests. You also include the updates
in the standard awareness training for the entire organization.
References
• Draft NIST SP 800-171B 3.2.1e
• CIS Controls v7.1 17.1, 17.2, 17.4
• NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
• CERT RMM v1.2 OTA:SG2.SP1
• NIST SP 800-53 Rev 4 AT-2, AT-2(3), AT-2(4), AT-2(6), AT-2(7)