Reference: CMMC v2.13
Family: AT
Level Introduced: 2
Title: Role-Based Risk Awareness
Practice:
Inform managers, systems administrators, and users of organizational systems of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Further Discussion:
Awareness training focuses user attention on security. Several techniques can be used, such as:
• synchronous or asynchronous training;
• simulations (e.g., simulated phishing emails);
• security awareness campaigns (posters, reminders, group discussions); and
• communicating regular email advisories and notices to employees.
Awareness training and role-based training are different. This requirement, AT.L2-3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2-3.2.2.
Example
Your organization holds a DoD contract which requires the use of CUI. You want to provide information to employees so they can identify phishing emails. To do this, you prepare a presentation that highlights basic traits, including:
• suspicious-looking email address or domain name;
• a message that contains an attachment or URL; and
• a message that is poorly written and often contains obvious misspelled words.
You encourage everyone to not click on attachments or links in a suspicious email [c]. You tell employees to forward such a message immediately to IT security [d]. You download free security awareness posters to hang in the office [c,d]. You send regular emails and tips to all employees to ensure your message is not forgotten over time [c,d].
Potential Assessment Considerations
• Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]?
• Do training materials identify the organization-defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.