Ransomware, phishing, password cracking, social engineering—these are all REAL threats, and they are only getting worse as cyber criminals get better. If you are a DoD contractor, it’s time to get your staff on the same security page. If your staff isn’t trained in cybersecurity hygiene, then they’re putting your entire organization at risk.
As part of the CMMC compliance, Security Awareness and Training (AT) is one of the 17 domain requirements that companies looking for CMMC maturity certification level 2 or higher have to meet before working on government contracts.
The requirement means that you have to have an effective cybersecurity training program in place. There are five AT practices broken into two capabilities: C011 Conduct Security Awareness Activities and C012 Conduct Training. Here’s a look at how the practices are broken out.
C011 includes two practices:
AT.2.056: Cybersecurity awareness training for all users
This practice ensures that managers, system administrators, and users of company systems are conscious of the various security risks related to their activities, and the procedures, standards, and policies related to the security of those systems.
Contractors can comply with this DoD CMMC requirement by conducting an annual cybersecurity awareness training. This training program must be customizable and should come with links to a company’s security policies and the contact information of its security department.
AT.3.058: Provide cybersecurity awareness training to identify and report possible insider threats
Contractors handling controlled unclassified information (CUI) must conduct insider threat training as part of their cybersecurity initiative. The training must identify the risk factors involved in becoming an insider threat, as well as a less formal way of reporting potential threats to avoid discrimination among friends and colleagues.
C012 includes these four practices:
AT.2.057: Ensure that cybersecurity personnel are properly trained to perform their security-related tasks and responsibilities.
Contractors should implement security training designed for system administrators, help desk, developers, and testers. Cybersecurity personnel should also possess security certifications such as a Certified Information Systems Security Professional (CISSP).
AT.4.059: Offer security awareness training designed to detect and respond to threats from suspicious behavior, breaches, advanced persistent threats (APTs), and social engineering. This security awareness training must be updated at least once a year, or if new threats are discovered. (Meant for certification levels 4 or higher)
To meet the requirements of this practice, contractors must conduct security awareness training sessions that focus on tactics used by APT actors. The goal of this practice is for companies to go beyond basic cybersecurity practices and broaden their cyber defenses against more advanced attacks.
AT.4.060: Practical exercises must be included in security awareness training modules. These exercises should be aligned with the latest threat scenarios and must offer feedback to personnel involved in the training. (Meant for certification levels 4 or higher)
This practice is designed to enhance a contractor’s security awareness training by including exercises associated with real-world threats. Also, the requirement to provide feedback is to ensure contractors are being proactive in measuring the value provided by these security exercises.
How you get trained is important too. SME’s CMMC experts are Certified Security Awareness Practitioners, or CSAP. Our security awareness training program includes everything you need to select the right content, deploy your training, and obtain detailed reporting on progress and completion. Don’t put off this important CMMC certification requirement. Our training programs are easy to arrange and affordable. Start your Security Awareness and Training domain requirement today!