The US Department of Defense (DoD) works with over 100,000 companies and their subcontractors that are part of the Defense Industrial Base (DIB) sector. This sector “enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet US military requirements.” Given the amount of money and highly sensitive information that this sector receives from the DoD, it is not surprising that DIB companies are targeted by cyberattacks.
In response to such cyberattacks, the DoD required the DIB sector to comply with Cybersecurity Maturity Model Certification (CMMC) requirements. The newest version of the CMMC framework (CMMC 2.0) had 14 domains that outlined specific requirements DIB companies must meet, and one of those was the Awareness and Training (AT) domain.
What is the CMMC Awareness and Training domain?
The AT domain requires DIB companies aiming to achieve CMMC Level 2 or higher to have an effective security awareness training program. This means that companies must have the following two capabilities, exhibited by implementing the related practices:
AT Capability #1: C011 Conduct security awareness activities
- AT.2.056: “Ensure that all managers, system administrators, and users or organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.”
- AT.3.058: “Provide security awareness training on recognizing and reporting potential indicators of insider threat.”
- AT.2.057: “Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”
- AT.4.059: “Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.”
- AT.4.060: “Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.”
Related reading: Security Awareness Training: A Must for DoD CMMC Compliance |
Why is security awareness training key to CMMC compliance?
DoD contractors must invest in their staff’s security awareness training for the following reasons:
IT security measures can be undone by poor practices
IT security solutions, such as firewalls and antivirus programs, are essential to building an effective cyber defense. However, solely relying on these is not enough since users can inadvertently compromise these security measures. For example, they may unknowingly plug in malware-laden USB drives from unknown sources, thereby infecting their company’s IT system. They may also postpone and then forget about installing software updates. Some may even ignore security notifications from their antivirus software. Such poor practices can be prevented if employees are properly trained in cybersecurity.
Human error is the top cause of data breaches
Today, hackers are increasingly breaching IT security not through technical means but by taking advantage of users’ propensity for committing mistakes. For example, they launch phishing attacks to trick people into giving up sensitive information or wiring money to a fraudulent bank account. In fact, phishing was reportedly the top DIB-reported cyberthreat back in 2021. In that quarter, for instance, Russian hackers sent phishing emails, pretending to be from USAID, to government agencies, think tanks, consultants, and nongovernmental agencies.
Moreover, cybersecurity firm Tessian’s Psychology of Human Error study found back in 2020 that human error was the cause of approximately 88% of all data breaches. More recently, Verizon’s 2024 Data Breach Investigations Report also stated that the human element was involved in 68% of breaches. These statistics indicate that companies must increase their staff's know-how to minimize vulnerabilities in their IT environment.
Security awareness training is relatively inexpensive, while data breaches can cost millions of dollars — $4.88 million on average. What’s worse is that a cyberattack on the DIB sector may even threaten US national security since this sector deals with confidential military information.
Insider threats are on the rise
According to Ponemon Institute’s 2023 Cost of Insider Risks Global Report, 71% of businesses dealt with more than 40 incidents per year, which was an increase from 67% in 2022. It's also worth noting that the average cost of addressing an internal security issue is $7.2 million. Insider threat-related incidents can be minimized if employees are regularly trained in cybersecurity. This is because they will be better equipped to recognize and report potential insider threats.
Do you need help with your company’s security awareness training?
The security experts of Charles IT can empower your employees to safeguard your company data through comprehensive security awareness training. Not only that, but we can also help you achieve CMMC compliance with our three-step process: gap assessment, CMMC services enlistment, and CMMC audit assessment. Get in touch with us today to learn more!