Practice AT.L2-3.2.1 Details - Revision history

David: /* FURTHER DISCUSSION */

2025-04-13T20:29:28Z

FURTHER DISCUSSION

← Older revision		Revision as of 20:29, 13 April 2025
Line 35:		Line 35:
	* communicating regular email advisories and notices to employees.		* communicating regular email advisories and notices to employees.

	Awareness training and role-based training are different. This practice, AT.L2-3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2- 3.2.2.		Awareness training and role-based training are different. This practice, AT.L2-3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2-3.2.2.

	'''Example'''		'''Example'''
Line 49:		Line 49:
	* Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]?		* Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]?
	* Do training materials identify the organizationally defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?		* Do training materials identify the organizationally defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?

	=== KEY REFERENCES ===		=== KEY REFERENCES ===
	* NIST SP 800-171 Rev 2 3.2.1		* NIST SP 800-171 Rev 2 3.2.1

David at 01:18, 16 March 2025

2025-03-16T01:18:16Z

← Older revision		Revision as of 01:18, 16 March 2025
Line 15:		Line 15:
	'''Examine'''		'''Examine'''

	[SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; system security plan;training records; other relevant documents or records].		[SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; system security plan; training records; other relevant documents or records].

	'''Interview'''		'''Interview'''
Line 25:		Line 25:
	[SELECT FROM: Mechanisms managing security awareness training; mechanisms managing role-based security training].		[SELECT FROM: Mechanisms managing security awareness training; mechanisms managing role-based security training].
	=== DISCUSSION ===		=== DISCUSSION ===
	Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access.The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security.Security awareness techniques include: formal training;offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.		Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.

	NIST SP 800-50 provides guidance on security awareness and training programs.		NIST SP 800-50 provides guidance on security awareness and training programs.

David at 22:36, 15 March 2025

2025-03-15T22:36:16Z

← Older revision		Revision as of 22:36, 15 March 2025
Line 1:		Line 1:
	'''Source of Reference: The official [https://~~www~~.~~acq~~.~~osd.mil~~/cmmc/~~documentation.html~~ CMMC Level 2 Assessment Guide] from the ~~Office of the Under Secretary~~ of Defense ~~Acquisition & Sustainment~~.'''		'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''

	For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.		For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

Wikiadmin: Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS == === SECURITY REQUIREMENT === Ensure that managers, systems administrators, and users of organizational systems are m..."

2022-02-24T20:00:50Z

Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS == === SECURITY REQUIREMENT === Ensure that managers, systems administrators, and users of organizational systems are m..."

New page

'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''

For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

== AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS ==
=== SECURITY REQUIREMENT ===
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
=== ASSESSMENT OBJECTIVES ===
Determine if:
: [a] security risks associated with organizational activities involving CUI are identified;
: [b] policies, standards, and procedures related to the security of the system are identified;
: [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
: [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
'''Examine'''

[SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; system security plan;training records; other relevant documents or records].

'''Interview'''

[SELECT FROM: Personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel composing the general system user community; personnel with responsibilities for role-based awareness training].

'''Test'''

[SELECT FROM: Mechanisms managing security awareness training; mechanisms managing role-based security training].
=== DISCUSSION ===
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access.The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security.Security awareness techniques include: formal training;offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.

NIST SP 800-50 provides guidance on security awareness and training programs.
=== FURTHER DISCUSSION ===
Awareness training focuses user attention on security. Several techniques can be used, such as:
* synchronous or asynchronous training;
* simulations (e.g., simulated phishing emails);
* security awareness campaigns (posters, reminders, group discussions); and
* communicating regular email advisories and notices to employees.

Awareness training and role-based training are different. This practice, AT.L2-3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2- 3.2.2.

'''Example'''

You want to provide information to employees so they can identify phishing emails. To do this, you prepare a presentation that highlights basic traits, including:
* suspicious-looking email address or domain name;
* a message that contains an attachment or URL; and
* a message that is poorly written and often contains obvious misspelled words.

You encourage everyone to not click on attachments or links in a suspicious email [c]. You tell employees to forward such a message immediately to IT security [d]. You download free security awareness posters to hang in the office [c,d]. You send regular emails and tips to all employees to ensure your message is not forgotten over time [c,d].

'''Potential Assessment Considerations'''
* Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]?
* Do training materials identify the organizationally defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?
=== KEY REFERENCES ===
* NIST SP 800-171 Rev 2 3.2.1