Don’t be fooled by the “easy” look of the three controls in the Awareness and Training family of NIST SP 800-171, which are requirements in CMMC 2.0. A training and awareness program takes a significant amount of time to plan and create, and requires ongoing management.
Security of Organizational Systems
|3.2.1||Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.|
Role-specific training, system-specific training, and continual security awareness campaigns are excellent tools for ensuring that system administrators and users are cognizant of system security risks, follow acceptable use procedures, and report any perceived weaknesses or threats observed in the system.
Team meetings and project kick-offs are also appropriate venues for cautionary reminders regarding system security. Training and preparation of team leaders to be the champions of security risk awareness may require a shift in mindset, which is best driven by organizational leaders, giving credence to the importance of the policies and procedures to maintaining security of the organization.
Security of Personnel Activities and Procedures
|3.2.2||Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|
Depending on the types of information an organization handles, documented policies and procedures are the best tool for information security training and awareness and provide a static reference for personnel if any threat or breach of security is suspected.
Applicable topics for policies and procedures include:
- Information Security
- Acceptable Use
- Access Control
- Asset Management
- Back-up Responsibilities
- Bring-Your-Own Device
- Change Management
- Clear Desk and Clear Screen
- Data Protection
- Incident Management
- Information Classification
- Insider Threat Awareness
- Internet Usage
- Mobile Computing and Teleworking
- Password Management
- Physical Security
- Risk Management
- Secure Development
- Special Information Handling
- Supplier Security
- Vulnerability Assessment
Periodic refresher training and awareness campaigns keep information fresh in everyone’s minds, with special attention given to common social engineering tactics employed by bad actors (e.g. pretexting, phishing/vishing, BEC, CEO Fraud), password security, and safe internet usage.
|3.3.3||Provide security awareness training on recognizing and reporting potential indicators of insider threat.|
Awareness and training regarding identifying possible Insider Threats bears special mention, as incidents involving internal malicious and accidental data compromise continue to increase at an alarming rate, and can be some of the most difficult to intercept.
The Cybersecurity & Infrastructure Security Agency (CISA) gives an excellent overview of ways to identify and manage Insider Threats at https://www.cisa.gov/defining-insider-threats.
Training should include, at a minimum, awareness of common digital and behavioral indicators of potential insider threat, and methods available to personnel to report any perceived insider threat.
If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.
FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities. With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.
Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC). Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements. An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.
As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.
FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a CMMC Registered Provider Organization.
Please visit https://foxguardsolutions.com/cmmc/ for more information.