This article is a re-post (with some modifications) with permission from Native Intelligence’s blog. Native Intelligence is a provider of security awareness materials such as training courses and motivational items (check out their security awareness-themed fortune cookies!)
CMMC and Cyber Awareness Training
Of the 171 best practices described by the Cybersecurity Maturity Model Certification (CMMC), at least 19 can be partially or fully addressed with a well-designed cybersecurity awareness program. This article identifies the specific practices from the CMMC and discusses why it is better to address them with a training program rather than relying on technical configurations or policies alone.
CMMC Capability C011 Conduct Security Awareness Activities
The CMMC domain “Awareness and Training (AT)” is concerned with ensuring that organizations have a formal security training program. Performing formal training is required at CMMC maturity levels 2 and above.
AT.2.056 – “Cybersecurity awareness training for all users.”
“Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.”
This level 2 requirement is covered by annual cybersecurity awareness training. Your workforce needs to understand that their actions could weaken security or allow bad actors onto the network. The training program should be customizable to include links to your organization’s policies and to display contact information for your security department.
AT.3.058 — “Provide security awareness training on recognizing and reporting potential indicators of insider threat.”
Contractors that deal with Controlled Unclassified Information (CUI) need to add insider threat training. This training should describe the risk factors for becoming an insider threat (such as mental illness, dissatisfaction, and intent towards espionage). It should also give methods for reporting potential insider threats that are less formal… since these individuals are often friends as well as co-workers.
CMMC Capability C012 Conduct Training
AT.2.057 — “Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”
Contractors should have security training specific to developers, helpdesk, testing, and system administrator personnel. This can be handled with a system administrator-specific training course or via security certifications like the SECURITY+ certification.
Your security personnel (such as your CISO) should have advanced training and certifications, such as the CISSP.
AT.4.059 — “Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.”
AT.4.060 — “Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.”
These two best practices are for level 4+ organizations, those that are targeted by advanced threat actors.
To meet AT.4.060, you will need to add practical exercises to the curriculum. This can be accomplished with a specialized course that gives realistic examples of threats and asks users to respond to them. Another option is to test your users with simulated phishing attacks; these come to their real email.
Security Awareness Training for 14 Other CMMC Practices
Cybersecurity awareness and training are a great way to support 14 more practices in the CMMC. These practices are in the domains:
- Access Control (AC)
- Media Protection (MP)
- Maintenance (MA)
- Physical Protection (PE)
- Systems and Communications Protection (SC)
The 14 practices below require broad agreement and compliance from your workforce. Even with the best technical controls, if your workers take the wrong action, they could cause your security to fail. This is why we recommend including these topics in your security awareness training.
AC.2.006 — “Limit use of portable storage devices on external systems.”
Your workforce should be trained not to connect corporate thumb drives and external hard drives to home computers or other untrusted systems.
AC.1.003 — “Verify and control/limit connections to and use of external information systems.”
Users should be trained to use only corporate or government systems for work, especially sensitive work.
AC.1.004 — “Control information posted or processed on publicly accessible information systems.”
Users should be warned against saving work files to public clouds that aren’t controlled by your IT department. These are common sources of DoD data breaches.
SC.3.193 — “Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).”
Training needs to address other means of accidentally disclosing sensitive information (such as ship movements). This is normally done by advising users to not discuss work on their social media accounts.
AC.2.016 — “Control the flow of CUI in accordance with approved authorizations.”
Users need to know what Controlled Unclassified Information (CUI) is and how to recognize it, along with other categories of sensitive information. Training should give clear guidance about how to send sensitive information securely (such as with encrypted emails) and verification of recipients.
MA.3.115 — “Ensure equipment removed for off-site maintenance is sanitized of any CUI.”
MP.1.118 — “Sanitize or destroy information system media containing Federal Contract information before disposal or release for reuse.”
All employees need to understand that computer equipment must be returned to the IT department rather than throwing it in the trash or selling it. The same training topic will also teach users to shred sensitive documents and CDs / DVDs.
MP.3.122 — “Mark media with necessary CUI markings and distribution limitations.”
All employees need to understand how to mark sensitive files and data. Your training should include custom sections for the specific types of CUI your users will encounter.
MP.2.119 — “Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.”
All users need to know the standards for protecting sensitive data, such as locking it up when unattended. This is particularly important for teleworkers and those who work out of alternate locations.
MP.3.123 — “Prohibit the use of portable storage devices when such devices have no identifiable owner.”
Users are the prime target for advanced threat actors. They need to know that portable storage devices can be infected with malware and not to connect them to the corporate network.
PE.1.131 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”
PE.1.132 — “Escort visitors and monitor visitor activity.”
PE.1.133 — “Maintain audit logs of physical access.”
User training is the best way to get everyone on the same page about protecting your facility. Topics should include identifying and reporting unauthorized persons, procedures for escorting visitors, and how to prevent tailgating.
PE.3.136 — “Enforce safeguarding measures for CUI at alternate work sites.”
This topic is essential for teleworkers and those who work at customer sites. Training should address best practices for protecting CUI outside of the office, such as not printing it out, and making sure the computer is locked whenever the user steps away.
Integrating Training and Policies for CMMC Compliance
Regular awareness training should supplement your policies and procedures. Many of these security topics should be covered in user agreements and policies, but you also want to make the information user-friendly. Training courses are a way of breaking information down for your average user.
Why Keep Training Records?
As you implement security awareness training for your staff, make sure to keep records. There are several reasons for keeping records of training – the most obvious one is that this can be evidence to show your CMMC assessor!
Training as a requirement for accounts
High-security networks generally require proof of annual cyber-awareness training before they will issue accounts. You should consider doing the same. A good cyber-awareness course will provide a certificate of completion if students pass the last test. This certificate should be reviewed during access management processes.
Training courses ideally have exercises, quizzes, and a final test to verify the trainee has understood the training. In highly mature organizations, aggregate data can be reviewed to find and resolve gaps in knowledge or culture within your company. For example, if most employees fail an exercise about how to contact the security department, you might decide to post signs with that contact information in employee workspaces.
Address individual risk
Some organizations track risk at the individual level. Highly secure organizations often have programs where they send out weekly cybersecurity training and quizzes via email (designed to take 5 minutes per week). The results from the weekly quizzes are stored for the employee and additional risk-reduction actions may be scheduled depending on performance. For example, if an employee repeatedly fails or ignores quizzes, they might be scheduled for in-person cybersecurity training, or even have it reflected in their performance evaluations.
Native Intelligence was kind enough to provide this informative article. Thanks to them! Native Intelligence is a provider of cybersecurity awareness training, newsletters, and resources.