The regulations call out Security Awareness Training, so how do you stay compliant?
Everyone in the government space is talking about it. So, what is it?
CMMC - “Cybersecurity Maturity Model Certification”
It wouldn’t be government without the acronyms, so buckle up....
It’s a framework designed for the protection of the US Defense Industrial Base (DIB). Specifically, the focus is on securing Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This essentially refers to any form of sensitive unclassified data that a contractor (or sub-contractor) creates or possesses for or on behalf of the government.
Ultimately, this became extremely for organizations seeking DoD (Department of Defense) contracts after the Interim Rule became effective on November 30, 2020.
CMMC certification requires an assessment from a C3PAO (Certified Third Party Organization).
How does CMMC relate to NIST?
From a quick pass, you’ll see that CMMC includes a lot of requirements out of NIST SP 800-171. This not all, though. CMMC also incorporates controls from NIST 800-53, AIA’s NAS 9933 and CERT’s Resilience Management Model.
Ok, one last (and critical) point on this relationship: CMMC includes five levels of maturity. These levels build on one another, meaning the requirements of each higher level include those of the levels below. So you can move step-wise from 1 to 2 to 3… you get it.
Ok, I think we’re done with all the acronyms. Now let’s dig into the Security Awareness Training requirements at each level! These will be all the requirements that start with those labeled Awareness and Training, or “AT.”
Explicit Security Awareness Training requirements start at Level 2.
This means Level 1 doesn't include any explicit AT requirements for Security Awareness Training, so let's keep moving.
AT.2.056: All Users Must Receive Cybersecurity Awareness Training
“Ensure that all Managers, system administrators, and users or organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.”
AT.2.057: Training must include security-related duties
“Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”
Your INFIMA Security Awareness Training covers these topics!
AT.3.058: Train on Insider Threats
“Provide security awareness training on recognizing and reporting potential indicators of insider threat.”
Your INFIMA Security Awareness Training covers these topics too!
AT.4.059: Train on current cyber threats and update training at least annually
“Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.”
AT.4.060: Practical user testing and feedback
“Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.”
And yes, your INFIMA Security Awareness Training covers this too!
As you move toward higher levels of CMMC Certification, you'll want to ensure your Training program stays right there with you.
Are you ready to take action?
We make it easy to keep your Training current. Find out how to protect your team with INFIMA's Automated Security Awareness platform.
Start with a quick quote - hit us up