Back to Control Explorer



Control Acronym



Awareness And Training

CMMC Level


800-171 Control #


CMMC Description

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

CMMC Clarification

An insider threat is an employee or contractor that is authorized for computing or network activities, but conducts malicious activity with that access. The insider threat security awareness training focuses on recognizing employee behaviors and characteristics that might be indicators of an insider threat and knowing the guidelines and procedures on how to handle and report it. Training for managers will provide guidance on observing team members to identify all potential threat indicators, while training for general employees will be slightly different and provide guidance for focusing on a smaller number of indicators. While all the indicators are important, general employees may be on different teams and knowledge of their job dissatisfaction or requests for information not required for adequate job performance is unknown. In other words, it is important to tailor the training for specific roles rather than having the same training program for everyone. Example You are responsible for training all employees on the awareness of high risk behaviors that can indicate a potential insider threat, so you add the following example to the training package: The organization has created a baseline of normal behavior for work schedules. One employee’s normal work schedule is 8:00 AM-5:00 PM, but another employee noticed that the employee has been working until 9:00 PM every day even though no special projects have been assigned and no short time frame deliverables have been identified. The observing employee reports the unjustified abnormal work schedule using the established guidelines of the organization.

800-171 Description

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

800-171 Discussion

Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices of organizations. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in behavior of team members, while training for employees may be focused on more general observations).

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AT-2(2)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.2.3

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

AT.3.058.[a] potential indicators associated with insider threats are identified; and

Assessment Sub-Criteria 2

AT.3.058.[b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15