Back to Control Explorer
AT.4.059
Content
Control Acronym
AT
Family
Awareness And Training
CMMC Level
4
800-171 Control #
N/A
CMMC Description
Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
CMMC Clarification
This practice requires that awareness training specifically include tactics and indicators used by advanced cyber threat actors. The intent is to go beyond the basic cyber security awareness training elements such as password management and good cyber hygiene and to broaden awareness for more advanced attack techniques. Example You manage cyber awareness training for the company. You are notified by a cybersecurity team member that a well-known cyber-attack team known as Fancy Bear has recently gone after peer organizations. The team member shares that one of their most common first steps is to look up employees via publicly available information sources, such as social media and corporate connection applications, and then craft well-targeted phishing attacks against software developers that invites them to a free conference in an overseas location. You quickly create and disseminate materials to sensitize corporate software developers to email phishing attacks and provide specific information, including examples, of prior Fancy Bear phishing emails as well as “friend” and “connection” requests. You also include the updates in the standard awareness training for the entire organization.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
DRAFT NIST SP 800-171B One of the most effective ways to detect APT activities and to reduce the effectiveness of those activities is to provide specific awareness training for individuals. A well-trained and security aware workforce provides another organizational safeguard that can be employed as part of a defense- in-depth strategy to protect organizations against malicious code injections via email or the web applications. Threat awareness training includes educating individuals on the various ways APTs can infiltrate into organizations including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in nonsecure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving.
CIS Control References
CIS Controls v7.1 17.1, 17.2, 17.4
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 AT-2
CMMC Derived
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
CERT RMM Reference
CERT RMM v1.2 OTA:SG2.SP1
Modification of NIST 800-171B Reference
NIST 800-171B Reference
Draft NIST SP 800-171B 3.2.1e