Back to Control Explorer

AT.2.056

Content

Control Acronym

AT

Family

Awareness And Training

CMMC Level

2

800-171 Control #

3.2.1

CMMC Description

Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

CMMC Clarification

Awareness training focuses user attention on security. You can use several techniques to do this: * instructor or online training * security awareness campaigns * posters and email advisories and notices to employees. There is an important distinction between awareness training and role-based training. Awareness training provides general security training to influence user behavior. Rolebased training focuses on the knowledge, skills, and abilities needed to complete a specific job. Example You want to provide information to employees so they can identify phishing emails. To do this, you prepare a presentation that highlights basic traits, including: * suspicious-looking email address or domain name * a message that contains an attachment or URL * a message that is poorly written and often contains obvious misspelled words. You encourage everyone to not click on attachments or links in a suspicious email. You tell employees to forward such a message immediately to their IT security administrator. You download free security awareness posters to hang in the office. Also, you send regular emails and tips to all employees. This ensures that your message is not forgotten over time. Cybersecurity

800-171 Description

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

800-171 Discussion

Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events. [SP 800-50] provides guidance on security awareness and training programs.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 17.3

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AT-2, AT-3

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.2.1

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5

CERT RMM Reference

CERT RMM v1.2 OTA:SG1.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Sub-Criterias

Assessment Sub-Criteria 1

AT.2.056.[a] security risks associated with organizational activities involving CUI are identified;

Assessment Sub-Criteria 2

AT.2.056.[b] policies, standards, and procedures related to the security of the system are identified;

Assessment Sub-Criteria 3

AT.2.056.[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and

Assessment Sub-Criteria 4

AT.2.056.[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15