Why Security Awareness Training Is Essential for CMMC Compliance

Why Security Awareness Training Is Essential for CMMC Compliance

The US Department of Defense (DoD) works with over 100,000 companies and their subcontractors that are part of the Defense Industrial Base (DIB) sector. This sector “enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet US military requirements.” Given the amount of money and highly sensitive information that this sector receives from the DoD, it is not surprising that DIB companies are targeted by cyberattacks. 

In response to such cyberattacks, the DoD required the DIB sector to comply with Cybersecurity Maturity Model Certification (CMMC) requirements. The first version of the CMMC framework (CMMC 1.0) had 17 domains that outlined specific requirements DIB companies must meet, and one of those was the Awareness and Training (AT) domain. 

While the DoD has already announced key changes to the framework with the launch of CMMC 2.0, they have yet to release more information. Therefore, in this blog, we will delve into the AT domain using details from CMMC 1.0. 

What is the CMMC Awareness and Training domain?

The AT domain requires DIB companies aiming to achieve CMMC Level 2 or higher to have an effective security awareness training program. This means that companies must have the following two capabilities, exhibited by implementing the related practices:

AT Capability #1: C011 Conduct security awareness activities

  • AT.2.056: “Ensure that all managers, system administrators, and users or organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.”

  • AT.3.058: “Provide security awareness training on recognizing and reporting potential indicators of insider threat.”
AT Capability #2: C012 Conduct training
  • AT.2.057: “Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”
  • AT.4.059: “Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.”

  • AT.4.060: “Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.”

Related reading: Security Awareness Training: A Must for DoD CMMC Compliance

Why is security awareness training key to CMMC compliance?

DoD contractors must invest in their staff’s security awareness training for the following reasons: 

IT security measures can be undone by poor practices

IT security solutions, such as firewalls and antivirus programs, are essential to building an effective cyber defense. However, solely relying on these is not enough since users can inadvertently compromise these security measures. For example, they may unknowingly plug in malware-laden USB drives from unknown sources, thereby infecting their company’s IT system. They may also postpone and then forget about installing software updates. Some may even ignore security notifications from their antivirus software. Such poor practices can be prevented if employees are properly trained in cybersecurity. 

Human error is the top cause of data breaches

Today, hackers are increasingly breaching IT security not through technical means but by taking advantage of users’ propensity for committing mistakes. For example, they launch phishing attacks to trick people into giving up sensitive information or wiring money to a fraudulent bank account. In fact, phishing was reportedly the top DIB-reported cyberthreat in Q2 2021. In that quarter, for instance, Russian hackers sent phishing emails, pretending to be from USAID, to government agencies, think tanks, consultants, and nongovernmental agencies. 

Moreover, cybersecurity firm Tessian’s 2020 Psychology of Human Error study found that human error was the cause of approximately 88% of all data breaches. Verizon’s 2021 Data Breach Investigations Report also stated that the human element was involved in 85% of breaches. These statistics indicate that companies must increase their staff's know-how to minimize vulnerabilities in their IT environment. 

Security awareness training is relatively inexpensive, while data breaches can cost millions of dollars — $4.24 million on average. What’s worse is that a cyberattack on the DIB sector may even threaten US national security since this sector deals with confidential military information.

Insider threats are on the rise

According to Ponemon Institute’s 2022 Cost of Insider Threats Global Report, the frequency of insider-led security incidents rose by 44% over the past two years. The cost of addressing an internal security issue also increased from $11.45 million in 2020 to $15.38 million at present. Insider threat-related incidents can be minimized if employees are regularly trained in cybersecurity. This is because they will be better equipped to recognize and report potential insider threats. 

Do you need help with your company’s security awareness training?

The security experts of Charles IT can empower your employees to safeguard your company data through comprehensive security awareness training. Not only that, but we can also help you achieve CMMC compliance with our three-step process: gap assessment, CMMC services enlistment, and CMMC audit assessment. Get in touch with us today to learn more!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”