Security Awareness Training: A Must for DoD CMMC Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a cohesive cybersecurity standard based on various security frameworks, including NIST SP 800-171 and the International Organization of Standardization (ISO). It features five cybersecurity maturity levels and 17 domains that outline specific requirements that Department of Defense (DoD) contractors must meet before they can work on government contracts. These domains are:

• Access control
• Asset management
• Audit and accountability
• Awareness and training
• Configuration management
• Identification and authentication
• Incident response
• Maintenance
• Media protection
• Personnel security
• Physical security
• Recover
• Risk management
• Security assessment
• Situational awareness
• System and communications protection
• System and information integrity

Here's what organizations need to know about the Awareness and Training (AT) domain and the DoD CMMC requirements that contractors must meet to pass an audit and get a certificate.

What Is the CMMC Awareness and Training Domain?

The CMMC AT domain requires DoD contractors to have an effective cybersecurity training program. Complying with the requirements of this domain is a must for companies looking for a CMMC maturity certification Level 2 and higher. The two AT capabilities defined by the CMMC are:

1. Capability C011 Conduct Security Awareness Activities

This capability features two practices, including:

• AT.2.056: Cybersecurity awareness training for all users

This practice ensures that managers, system administrators, and users of company systems are conscious of the various security risks related to their activities, and the procedures, standards, and policies related to the security of those systems.

Contractors can comply with this DoD CMMC requirement by conducting an annual cybersecurity awareness training. This training program must be customizable and should come with links to a company's security policies and the contact information of its security department.

• AT.3.058: Provide cybersecurity awareness training to identify and report possible insider threats

Contractors handling controlled unclassified information (CUI) must conduct insider threat training as part of their cybersecurity initiative. The training must identify the risk factors involved in becoming an insider threat, as well as a less formal way of reporting potential threats to avoid discrimination among friends and colleagues.

2. Capability C012 Conduct Training

There are three practices under this capability, including:

• AT.2.057: Ensure that cybersecurity personnel are properly trained to perform their security-related tasks and responsibilities.

Contractors should implement security training designed for system administrators, help desk, developers, and testers. Cybersecurity personnel should also possess security certifications such as a Certified Information Systems Security Professional (CISSP).

• AT.4.059: Offer security awareness training designed to detect and respond to threats from suspicious behavior, breaches, advanced persistent threats (APTs), and social engineering. This security awareness training must be updated at least once a year, or if new threats are discovered.

To meet the requirements of this practice, contractors must conduct security awareness training sessions that focus on tactics used by APT actors. The goal of this practice is for companies to go beyond basic cybersecurity practices and broaden their cyber defenses against more advanced attacks.

• AT.4.060: Practical exercises must be included in security awareness training modules. These exercises should be aligned with the latest threat scenarios and must offer feedback to personnel involved in the training.

This practice is designed to enhance a contractor's security awareness training by including exercises associated with real-world threats. Also, the requirement to provide feedback is to ensure contractors are being proactive in measuring the value provided by these security exercises.

AT.4.059 and AT.4.060 are meant for contractors aiming for a DoD CMMC certification Level 4 or higher because they are the ones frequently targeted by advanced threat actors.

Security Awareness Training for the Other CMMC Domains

There are an additional 14 CMMC practices outside the AT domain that can benefit from a robust cybersecurity awareness training program:

• AC.2.006: Limiting the use of personal portable storage devices on external systems
• AC.1.003: Verify, control, and limit the use of and connections to external information systems
• AC.1.004: Information processed and posted on publicly accessible systems should be monitored and controlled
• SC.3.193: Implement rules and guidelines prohibiting the publication of CUI on public websites and platforms
• AC.2.016: Check the flow of CUI following approved authorizations
• MA.3.115: Remove CUI from all equipment before taking them off-site for maintenance
• MP.1.118: Any information system media that contains FCI should be destroyed or sanitized before being reused or disposed
• MP.3.122: All media storing CUI should be properly marked
• MP.2.119: Safeguard system media storing digital and paper CUI
• MP.3.123: Portable storage devices with no identifiable owner should not be used
• PE.1.131: Only authorized personnel will be given physical access to company equipment, information systems, and operating environments
• PE.1.132: Escort visitors and monitor their activity
• PE.1.133: Keep updated audit logs of physical access
• PE.3.136: Implement strict security measures for CUI stored in off-site locations

If you’re looking to get a DoD CMMC certificate but don’t know where to start, Charles IT can help.  We provide affordable security and compliance assessments to ensure your company passes its DoD CMMC compliance audit. Start your gap assessment now.