Back to Control Explorer



Control Acronym



Awareness And Training

CMMC Level


800-171 Control #


CMMC Description

Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

CMMC Clarification

This practice requires that awareness training specifically include tactics and indicators used by advanced cyber threat actors. The intent is to go beyond the basic cyber security awareness training elements such as password management and good cyber hygiene and to broaden awareness for more advanced attack techniques. Example You manage cyber awareness training for the company. You are notified by a cybersecurity team member that a well-known cyber-attack team known as Fancy Bear has recently gone after peer organizations. The team member shares that one of their most common first steps is to look up employees via publicly available information sources, such as social media and corporate connection applications, and then craft well-targeted phishing attacks against software developers that invites them to a free conference in an overseas location. You quickly create and disseminate materials to sensitize corporate software developers to email phishing attacks and provide specific information, including examples, of prior Fancy Bear phishing emails as well as “friend” and “connection” requests. You also include the updates in the standard awareness training for the entire organization.

800-171 Description

800-171 Discussion


Other Source Discussion

DRAFT NIST SP 800-171B One of the most effective ways to detect APT activities and to reduce the effectiveness of those activities is to provide specific awareness training for individuals. A well-trained and security aware workforce provides another organizational safeguard that can be employed as part of a defense- in-depth strategy to protect organizations against malicious code injections via email or the web applications. Threat awareness training includes educating individuals on the various ways APTs can infiltrate into organizations including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in nonsecure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving.

CIS Control References

CIS Controls v7.1 17.1, 17.2, 17.4

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AT-2

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

Draft NIST SP 800-171B 3.2.1e

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15