CMMC Awareness and Training Domain: ABC’s and FAQ’s

What are the CMMC Awareness and Training Domain Capabilities and Practices?

The Awareness and Training domain practices basically make security awareness training a pre-requisite for access to information systems and operating environments processing, storing, or transmitting CUI, and thus CMMC compliance . Implementing a security awareness training program has compliance implications for the entire OSC’s CUI ecosystem.

  • 2.056: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems The goal of this practice is to ensure that the Awareness and Training capability accounts for role-based training, including security awareness training for end users, systems administrators, and their respective managers. The training material must communicate security risks associated with key systems, the established policies governing the program, and processes and procedures that document’s how the policy is enforced. AT.2.056 applies at CMMC Level 2 and above.
  • 3.058: Provide cybersecurity awareness training to identify and report possible insider threats. Required for CMMC Level 3 compliance (the minimum level for handling CUI), this control mandates that organizations specifically conduct insider threat training; what it is, what it is not, how to identify it, and how to report it. AT.4.059: Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. This practice mandates special training to increase awareness of Advanced Persistent Threats (APTs) by including tactic, techniques, and procedures used by APT organization within the training program. APTs pose significant risk for all OSCs, but addressed at CMMC Level 4 and above.
  • 4.060: Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training. Also a CMMC Level 4 requirement, this practice directs OSCs to provide scenario-based training exercises that validates the effectiveness of the Awareness and Training capability while preparing staff for “real-world” threats that they are most likely to actually face; e.g., a ransomware attack or spear-phishing scam. The need to share results with training participants is meant to ensure that the exercises and the training program provide quantifiable value.
  • 2.057: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. This control mandates that staff with different/additional cybersecurity training needs, like admins, help desk staff, software development and test team members, etc. need to receive training that is specific or relevant to their roles. For security team members, this can mean attaining security certifications like Certified Ethical Hacker (CEH) or Certified Information Systems Security Professional (CISSP).

What Is Required to Comply With the Controls In the Awareness and Training Domain?

If your overall CMMC compliance requirement is for CMMC Level 1 or 2, you can probably meet that with an annual security training course that is either company-wide or specific to staff working on US Federal government contracts.

How Else Can Security Awareness Training Help With CMMC Compliance and Overall Security?

As noted above, besides the five practices in the Awareness and Training domain there are about 14 additional practices in other domains at levels 1, 2 and 3 where a properly designed security awareness training program can augment and reinforce your policies and procedures.

  • 1.003 Verify and control/limit connections to and use of external information systems.
  • 1.004 Control information posted or processed on publicly accessible information systems.
  • 2.006 Limit use of portable storage devices on external systems.
  • 2.016 Control the flow of CUI in accordance with approved authorizations.
  • 1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  • 2.119 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
  • 3.122 Mark media with necessary CUI markings and distribution limitations.
  • 3.123 Prohibit the use of portable storage devices when such devices have no identifiable owner.
  • 1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  • 1.132 Escort visitors and monitor visitor activity.
  • 1.133 Maintain audit logs of physical access.
  • 3.136 Enforce safeguarding measures for CUI at alternate work sites.
  • 3.115 Ensure equipment removed for offsite maintenance is sanitized of any CUI.
  • 3.193 Implement a policy restricting the publication of CUI on externally owned, publicly accessible websit4es (e.g., forums, LinkedIn, Facebook, Twitter).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pivot Point Security

Pivot Point Security

We are a trusted source of simple, practical, and actionable information security guidance.