The Cybersecurity Maturity Model Certification (CMMC) framework categorizes information security best practices and technical controls into 17 domains. Each domain includes various capabilities, processes and practices spanning the CMMC’s five maturity levels. US Department of Defense (DoD) contractors and subcontractors will need to comply with CMMC at whatever maturity level their contract specifies, depending on the sensitivity of the Controlled Unclassified Information (CUI) they handle (the cyber threats are generally similar in the DIB).
With a total of five practices organized into two capabilities at CMMC levels 2, 3 and 4, the Awareness and Training (AT) domain focuses on ensuring that the organization seeking certification (OSD) have an effective security awareness training program and associated policies and procedures in place, including role-based and specialized training for specific classes of attacks against CUI at maturity levels 3 and 4. These controls are essential as many SMBs do a poor job communicating security responsibilities and the importance of “thinking security” to their employees, resulting in successful execution of cyber threats, especially phishing attacks. employees.
What are the CMMC Awareness and Training Domain Capabilities and Practices?
The Awareness and Training domain practices basically make security awareness training a pre-requisite for access to information systems and operating environments processing, storing, or transmitting CUI, and thus CMMC compliance . Implementing a security awareness training program has compliance implications for the entire OSC’s CUI ecosystem.
There are no Awareness and Training controls at CMMC Level 1, “basic cyber hygiene,” which is the minimum criteria for handling Federal Contract Information (FCI). The two Awareness and Training capabilities both kick in at CMMC Level 2.
The first Awareness and Training domain capability is C011, “Conduct security awareness activities.” This capability includes four practices:
- 2.056: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems The goal of this practice is to ensure that the Awareness and Training capability accounts for role-based training, including security awareness training for end users, systems administrators, and their respective managers. The training material must communicate security risks associated with key systems, the established policies governing the program, and processes and procedures that document’s how the policy is enforced. AT.2.056 applies at CMMC Level 2 and above.
- 3.058: Provide cybersecurity awareness training to identify and report possible insider threats. Required for CMMC Level 3 compliance (the minimum level for handling CUI), this control mandates that organizations specifically conduct insider threat training; what it is, what it is not, how to identify it, and how to report it. AT.4.059: Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. This practice mandates special training to increase awareness of Advanced Persistent Threats (APTs) by including tactic, techniques, and procedures used by APT organization within the training program. APTs pose significant risk for all OSCs, but addressed at CMMC Level 4 and above.
- 4.060: Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training. Also a CMMC Level 4 requirement, this practice directs OSCs to provide scenario-based training exercises that validates the effectiveness of the Awareness and Training capability while preparing staff for “real-world” threats that they are most likely to actually face; e.g., a ransomware attack or spear-phishing scam. The need to share results with training participants is meant to ensure that the exercises and the training program provide quantifiable value.
The second Awareness and Training capability is C012, “Conduct training.” This capability includes one control, which applies to CMMC Level 2 and higher:
- 2.057: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. This control mandates that staff with different/additional cybersecurity training needs, like admins, help desk staff, software development and test team members, etc. need to receive training that is specific or relevant to their roles. For security team members, this can mean attaining security certifications like Certified Ethical Hacker (CEH) or Certified Information Systems Security Professional (CISSP).
What Is Required to Comply With the Controls In the Awareness and Training Domain?
If your overall CMMC compliance requirement is for CMMC Level 1 or 2, you can probably meet that with an annual security training course that is either company-wide or specific to staff working on US Federal government contracts.
Regardless of your industry, your workforce needs to be aware of the information security risk that their actions and choices pose, and how to do their jobs in a way that minimizes that risk. You also need to tie security training to your actual policies and procedures in a user-friendly, cohesive way (versus just directing people to read policy documents).
You don’t want your employees to be the weakest link in your security strategy, especially when it comes to commonplace yet potentially devastating attacks like ransomware and phishing gambits targeting access credentials. Thus, an annual security awareness training course is probably the minimum level of training any business should consider.
If you need to comply with CMMC Level 3 or above, you’ll have the additional responsibility to provide targeted training on handling and safeguarding CUI, and how to inditify and report insider threats. This is a requirement for handling CUI, which poses significantly greater risk from “insider” actions whether intentional or unintentional.
CMMC Level 4 compliance includes security training against APTs. These attacks gather data from behind the firewall over a long period of time and use it to build a customized attack to exfiltrate valuable data. Targeted APT training emphasizes detection and reporting of APTs, as well as basic awareness on what TTPs (ie clues or identificators of compromise ) APTs might leave that employees could potentially spot.
Finally, achieving the maturity required to pass a CMMC assessment involves collecting and presenting evidence that controls are in place and effective. As you conduct security awareness training, it is important to keep records so you can show your auditor how often you did trainings, what they focused on, who took them, how they were evaluated, what results were seen, etc.
How Else Can Security Awareness Training Help With CMMC Compliance and Overall Security?
As noted above, besides the five practices in the Awareness and Training domain there are about 14 additional practices in other domains at levels 1, 2 and 3 where a properly designed security awareness training program can augment and reinforce your policies and procedures.
In general, the kinds of controls that benefit from training are those where employees’ actions can make or break the security barrier. Within the CMMC framework, these controls include:
Access Control (AC) domain
- 1.003 Verify and control/limit connections to and use of external information systems.
- 1.004 Control information posted or processed on publicly accessible information systems.
- 2.006 Limit use of portable storage devices on external systems.
- 2.016 Control the flow of CUI in accordance with approved authorizations.
Media Protection (MP) domain
- 1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- 2.119 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- 3.122 Mark media with necessary CUI markings and distribution limitations.
- 3.123 Prohibit the use of portable storage devices when such devices have no identifiable owner.
Physical Protection (PE) domain
- 1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- 1.132 Escort visitors and monitor visitor activity.
- 1.133 Maintain audit logs of physical access.
- 3.136 Enforce safeguarding measures for CUI at alternate work sites.
Maintenance (MA) domain
- 3.115 Ensure equipment removed for offsite maintenance is sanitized of any CUI.
Systems and Communications Protection (SC) domain
- 3.193 Implement a policy restricting the publication of CUI on externally owned, publicly accessible websit4es (e.g., forums, LinkedIn, Facebook, Twitter).
If you have questions about best-practice approaches to help your organization address security awareness training or other CMMC practices and processes, contact Pivot Point Security to talk with a CMMC expert.