Back to Control Explorer



Control Acronym



Awareness And Training

CMMC Level


800-171 Control #


CMMC Description

Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.

CMMC Clarification

This practice increases the effectiveness of security awareness and training by including exercises that directly related to real-world threats. In addition, the intent of the requirement for feedback is to ensure that the organization is proactive in seeking to measure the value being achieved by these exercises. Example You manage cyber awareness training for the company. You have been notified by the company cybersecurity team that a well-known cyber-attack team known as “Fancy Bear” has recently gone after peer organizations. You create a well-targeted phishing attack that appears to come from an external source aimed at company employees in the software development branch. When an employee clicks on a “bad” link, a notice is sent by the receiving server to corporate security and a message is automatically generated once the exercise ends to notify the employee that they should not have clicked the link and providing the clues that would have allowed them to identify the phishing attack. In an effort to “raise their game” in the speed and relevance of their phishing prevention program, you work with the IT branch to create a process that takes actual “same day” phishing attacks that were identified by email defenses. The first step is to neutralize the emails by replacing attachments with corporate “Trojan horse” files and external links with a corporate phishing remote server link. Then the neutered but authentic phishing attack email is sent to the previous set of corporate addresses. Doing this allows you to train staff against actual threats at a faster pace and saves on the overhead of creating a realistic looking phishing message.

800-171 Description

800-171 Discussion


Other Source Discussion

DRAFT NIST SP 800-171B (MODIFIED) Awareness training is most effective when it is complemented by practical exercises tailored to the tactics, techniques, and procedures (TTPs) of the threat. Examples of practical exercises include no-notice social engineering attempts to gain unauthorized access, collect information, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to reinforce desired user behavior. Training results, especially failures of personnel in critical roles, can be indicative of a potential serious problem. [Modified only to remove requirement to notify supervisors from NIST SP 800-171B 3.2.2e].

CIS Control References

CIS Controls v7.1 17.1, 17.2, 17.4

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AT-2(1)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5

CERT RMM Reference


Modification of NIST 800-171B Reference

CMMC modification of Draft NIST SP 800-171B 3.2.2e

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15