Back to Control Explorer
AT.2.057
Content
Control Acronym
AT
Family
Awareness And Training
CMMC Level
2
800-171 Control #
3.2.2
CMMC Description
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
CMMC Clarification
Training imparts skills and knowledge. It enables staff to perform a specific resilience function. Training programs identify cybersecurity skill gaps within your organization. Then, the programs train users on their specific cybersecurity roles and responsibilities. There is an important distinction between awareness training and role-based training. Awareness training provides general security training to influence user behavior. Role based training focuses on the knowledge, skills, and abilities needed to complete a specific job. Example Your company upgraded the firewall to a newer, more advanced system. Your company identified you as an employee who needs training on the device. This will enable you to use it effectively. Your company considered this when it planned for the upgrade. It made training funds available as part of the upgrade project.
800-171 Description
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
800-171 Discussion
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. [SP 800-181] provides guidance on role-based information security training in the workplace. [SP 800-161] provides guidance on supply chain risk management.
Other Source Discussion
N/A
CIS Control References
CIS Controls v7.1 17.5, 17.6, 17.7, 17.8, 17.9
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 AT-2, AT-3
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.2.2
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
CERT RMM Reference
CERT RMM v1.2 OTA:SG4.SP1
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
AT.2.057.[a] information security-related duties, roles, and responsibilities are defined;
Assessment Sub-Criteria 2
AT.2.057.[b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
Assessment Sub-Criteria 3
AT.2.057.[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.