It always comes down to the humans. The best security but the tiniest friction and all systems fail. That 2% of DNA separating us from chimpanzees really messes with your cyber hygiene.
If you want security you need to focus on the biggest attack vector: people.
The Cybersecurity Maturity Model Certification program revolves around a National awareness and training program to increase the validity and reliability of cybersecurity hygiene of the defense industrial base.
Relying on self assessments hurt the overall validity due to the scoring system for determining compliance. Neither NIST -SP-800-171 nor 171a, the methodology describes a scoring scheme. That model of having 110 points and subtracting either 1, 3, or five points came from the Defense Contracting Management Agency. It did not work.
Relying on self assessments hurt the overall reliability of knowing if someone had achieved adequate compliance against NIST -SP-800-171. A lot of revenue depends on contracts from the Department of Defense that carry the 7012 clause. Many companies lacked experience or have had past success with a business development strategy of ignoring Department Defense mandates .
We use the amount of data exfiltration from small manufacturers as proof of the failure. We use the daily ransomware attacks DIB companies face as further observable evidence that self assessment does not work.
CMMC requires us to realize cybersecurity isn’t everyone’s job. Cybersecurity IS everyone. You must control your story, data, and identity. The people matter
In fact the CMMc model requires an Awareness and Training Policy for Level 2 (and thus Level Three given cumulative nature of the model:
Establish a policy that includes Awareness and Training.
So how do you build an Awareness and Training policy? You need to understand what people need to know, when they need to know it, and how you will prove they know it. This begins, like all learning, by definining key terms.
What is Awareness?
I can know the dangers of swimming in rip tides and not have the training to jump in the water. All employees must have an awareness of threats your company faces.
In fact NIST SP 500-172, defines awareness as
sensitivity to the threats and vulnerabilities of computer systems and the recognition of the need to protect data, information, and the means of processing them
Awareness however, like swimming, does, not equal training. In terms of cybersecurity a company needs to have a general understanding of threats and cyber hygiene in order for a company to grow. So I may hang Controlled Unclassified Information (CUI) posters in the enclave about our company policy to keep people aware but that does not equal a training program on selecting the correct shredder for the destruction of paper based CUI.
You may publish many of your policies in an employee handbook to make them aware of security issues. You still need to train employees
What is Training?
Awareness focuses on what and training focuses on why. Training will take longer and you the learner will generate observable evidence of knowledge growth.
What Type of Awareness Programs do my Employees Need?
Based on the NIST 800-171a assessment objectives included in CMMC You have to have an overall awareness of threats CUI face. All employees need an awareness of policies, standards, and procedures. Often covered in the Employee Handbook and Acceptable Use Policies.
Your technical staff will need to know security risks associated with their activities to keep data safe. This again will require the development of Operating System awareness and you may need to run multiple awareness programs for each major and minor technical system.
Managers and system administrators need awareness of the applicable policies, standards, and procedures related to the security of the system. This will include reference documents, a required tuor of a wiki or database ,Security Technical Implementation Guides, STIGs.
Awareness and Training requirements that kick in at Level Two when we talk Cybersecurity Maturity Model Certification:
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
- [a] security risks associated with organizational activities involving CUI are identified;
- [b] policies, standards, and procedures related to the security of the system are identified;
- [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
- [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
To meet the assessment objectives of this practice you will need to provide multiple types of security awareness and training programs
What type of Training Program Do My Employees Need
Based on the NIST 800-171a assessment objectives included in CMMC You have to have three domains of training. One focused on your CUI policy, a domain on threat analysis, and another on your system, security , and roles.
CMMC has an entire set of objectives on develop and deploying a CUI policy. In your training you need to ensure your managers and technical systems engineers or Managed Service Providers know how CUI gets protected on your system.
Your training around applicable policies, standards, and procedures related to the security of the system will need extensive documentation and will include recognizing educational certificates and providing your own training related to your reference architecture.
For example AT.2.057, “ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. ” will require operating system training specific to a company’s reference architecture. You will rely on different certificate programs to ensure your technical staff can stay current as technology changes. You will need multiple trainings for each of the operating systems deployed on your major and minor systems that store, transmit, destroy, or create CUI as the result of a government contract.
What is the Purpose of my Awareness and Training Policy?
The first objective of AT.2.999 Establish a policy that includes Awareness and Training requires you to have a purpose to your awareness and training policy. At level three you need a mission and strategic goals (AT.3.997
“Establish, maintain, and resource a plan that includes Awareness and Training” objectives b and c. )
We recommend you do this company wide in a threat awareness and training program. Explore the threats, external and internal, you face. Analyze risks to your business and supply chain.
Break employees into groups and have them draft threat analysis documents (a level 4 requirement but dumb to wait). Then when you have an agreed list of threats have the groups craft mission and goal statements.
You then work with the groups in a whole company setting to ensure your employees draft the policy statement you envision. Ownership builds awareness.
Many mature and large organizations will have awareness and training policies developed. You still should conduct ongoing threat analysis discussions at the department level.
Make sure folks are aware.
Who needs Awareness and Training?
Everyone. Awareness and training ensure policies and procedure become company culture, but your manager, sales staff, and security engineer need different awareness and training.
NIST Special Publication 800-16 “Information Technology Security Training Requirements” recommends creating a role based training matrix. You can combine this approach with CMMC requirements to create a full curriculum scope and sequence for your Awareness and Training program.
In the first column of the Matrix list all the user roles on your information systems. Include a row for “all.” You can group trainees by their roles as well.
Then create four domains in your awareness and training program:
- Employee Responsibilities,
- Information System Policies,
- Reference Architecture
What training in which Domain an employee receives depends on their role. For example, all employees may have to watch a training and certify they read the Employee Handbook and Acceptable Use Policies.You probably want a training on the email rules of your company for all employees.
For Level Three you need to document what will get learned. In fact Assessment Objective [e] of AT.3.997 requires you to document “the plan documents the activities, due dates” In your matrices list the trainings and when due dates occur.
Fill out the chart indicating when role based awareness and training occurs, what it includes, and how it is assessed.
Large companies may have an internal learning management system that may track many of these metrics. Smaller companies may have contract with a vendor. If you purchase IT or security products from MSPs or vendors try to negotiate a training package or choose those you see as compliance partners.
What should Awareness and Training Cover?
You need to cover the four domains of knowledge but now you must develop the scope of learning objectives and the sequence of training for the matrices.
First begin with employee responsibilities by examining the everyday system wide awareness and trainings all employees must get. This includes the employee handbook, sexual harassment, legal compliance, company wide posters, CUI handling posters and stickers. Every day business practices that require awareness and training.
Then decide what of these policies need more than awareness and actual training. This could include a short video summarizing employee handbook with a quiz. Employees often have to attend mandatory trainings with a supervisor.
Once you have the list decide if the subject requires awareness or training. Add it to the matrix.
Controlled Unclassified Information
As we noted you must include awareness and training on the “security risks associated with organizational activities involving CUI are identified,”; so basically you need to develop a CUI Training Program.
At level two your company will need awareness and training on the internal threats faced by companies who have a legal right to handle Control Unclassified Information on behalf of a government contract.
At level two and three your awareness and training program must include your company policies on the authorized used of receiving, creating, labeling, disseminating. transmitting, storing, and destroying CUI. This policy should cover the specific workflows for handling this information.You will also need to include your Incident Response Training on handing CUI data spillage.
At level four your CUI awareness and training program should include recognizing and responding to threats from social engineering that can lead to , advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
Information System Policies
Then you will have company wide information system policies such as your password policy, email policy, how MFA works (please turn on MFA), device policy, etc. email policies etc.
These Information System Policies apply to all employees, however, at this point you may have to start specializing. The account generation for your Mobile Device Management tools may vary from payroll system.In fact at this level you will start to specialize at the Operating System.
Different types of operating systems will require you to verify employee training through different certificates. if you deploy in Kubernetes in Azure or use S3 in AWS Govcloud each of those stacks has individual STiGs and certification programs.
You must consider all the major and minor systems, the data that flows through them and the laws and regulations that govern how that data get used and shared.
As a contractor you also will need to consider trainings on your acquisition team on what kind of service level agreements you need in your vendor agreements with regards to information and technology systems. Trainings need to include examining vendor agreements and SLAs to determine if proposed security solutions meet CMMC Level Three standards.
As Tom Cornelius, from Compliance Forge notes, “You must see policy as a blueprint and not documentation. You are more an archtiect than a writer.”
As an organization you will need solid reference architecture on how you build secure systems that can handle a moderate baseline for the protection of Controlled Unclassified Information. You will have a set of documents that describe how to build the ideal environment for your use case. You will need awareness and training on how to use and update your reference architecture.
Take configuration management for example. If you do not have a clear configuration management documentation and provide baseline training on using the references you will not have the basics of Access Control. The root of cybersecurity.
Next you can turn to the other Domains in CMMC to decide company wide training policy.
What other Domains Should Awareness and Training Cover?
The Awareness and Training you provide must go well beyond the practices and process of the AT domain. In fact, according to Native Intelligence in a blog post on Amira Armond’s CMMC Audit, Awareness and Training needs to cover fourteen additional practices across five domains
- Access Control (AC)
- Media Protection (MP)
- Maintenance (MA)
- Physical Protection (PE)
- Systems and Communications Protection (SC)
How to Get Started on an Awareness and Training Plan
Create an Instructional Leadership Team
You first begin by designating who owns your awareness and training program. The instructional leadership team should contain stakeholders across the organization and not just from IT or your security team (if you even have either position. The team could include your Information System Security Officer, CIO, CTO, information System Security Manager, human resources, facility security officer, or employees designated to serve on the instructional leadership team.
Craft Goals, Missions, and Objectives
Your instructional Leadership Team then crafts your goals mission and objectives. This begins by a walkthrough through your threat environment. Understand the common threats to the sensitive data you hold.
You can have very generic goals, missions, and objectives for your trainings. You may want o consider utilizing the awareness and training domain to strengthen your talent across the board. However you only need to track system security related training with CMMC.
Determine Roles for Awareness and Training
Next the Instructional Leadership Team determines roles and responsibilities. Christina Reynolds of BDO-USA recommends using the RACI model: who is responsible, who is accountable, who need to be consulted. The goal is to create observable evidence that partially meet assessment objective C D and G of AT.2.999
” the roles and responsibilities of the activities covered by this policy are defined; (i.e., the responsibility, authority, and ownership of Awareness and Training activities);”
“The policy establishes or directs the establishment of procedures to carry out and meet the intent of the policy;”
“the policy is endorsed by management and disseminated to appropriate stakeholders; and “
So you develop a matrix of roles and responsibilities. Include general users, data owners, system owners, and members of the Instructional Leadership Team. Make a column for each.
Then in the rows include who must complete training, who develops the training program, who agrees to acceptable use policies, who decide which roles get what training, who completes, role based training, and who is responsible for record keeping.
Establish Company wide Baseline
Now decide what basic training must every employee have. This will include your awareness activities, employee handbooks, email policies, acceptable use policies, etc. You may include optional training on overall threat awareness and common attack vectors such as phishing.
The goal is to establish the bare minimum of security awareness you want with your employees. This wil usually include a variety of training like company wide meetings, video on demands, or online learning.
Develop Training Matrix
Now that you have a baseline of security awareness and training you want in employees you next decide on the specialized roles and create a role based training matrix. People in specialized role and management will need additional training over and beyond what every employee receives.
You need to group people into roles based at functions in the workplace.
Then create a list of topics that include items such as:
- Threat Awareness
- Media Protection
- Mobile Devices
- Access Control Policy
- Reference Architecture
- Crafting Service Level Agreements
You then decide based on the number of roles created by your instructional leadership team which group gets what training.
Develop Company Wide Awareness and Training Rubric
Next the Instructional Leadership Team needs to define success metrics for your awareness and training program. In terms of CMMC knowing if a plan work really does not kick in until level four process requirements but you can not have a compliant training program without evidence of learning gains.
The evidence of awareness and training success, like all compliance data can fall into one of three categories: interview, observe and test.
First you want to understand if your awareness and trainign impacts your operational security. Indicators could include reduction in down time, increased phishing test success rates, and incident reporting. If you can not automate these metrixs you can have the Instructional Leadership Team rate them on a four point likert scale.
You also have training program metrics such as the frequency of training programs, learner performance, attendance, and learner feedback. You should check with your state on the requirements to protect and retain employee training data.
Now you have to choose content that will align your role based matrices and your required learning matrices. It will probably be cheaper to purchase curriculum then to develop in house. However when you pay for an instructional designer to develop your program you can align the program to your company culture and workflow.
The majority of cybersecurity training is video based garbage designed to allow you to check off a compliance box about providing training. Develop or utilize a rubric for evaluating curriculum. You may consider hiring a consultant to help you evalaute curriculum. At the very least use your networks for word of mouth.
Create Deployment and Evaluation Schedule
Next you create a scope and sequence guide for your curriuclum. This document includes the objectives of your chosen curriculum, how those objectives get measured, when the curriculum gets delivered, and who evaluated the result.. You can include information about awareness and training.
For awareness you could include the posters you hang and monthly security reminders that get delivered by email. The awareness program occurs all the time for all users.
For training this again will be a role based document. Many people may end up including the role based matrix in the scope and sequence of the curriculum.
Craft Awareness and Training Plan Compliance Documentation
Finally you need to create away to to document your awareness and training program so you you organize observable evidence in a way that would not require a CMMC to make any inferences about your program. Spell out how you meet each requirement in your Policy, Procedures an plans. If you followed the path above you have the majority of the documentation you need.
Now as your goal you must include how you will have the procedures for the Awareness and Training Policy and how you plan to include the metrics from your awareness and training in both your SSP and your Awareness and Training plan.
Create a policy for retaining security training records. Create the procedures to make sure this happens.
Include a table in your policy that explicitly addresses any of the required awareness and training in a practice or assessment objective. Then in your SSP, reference this policy and include two pieces of observable evidence that the assessment objectives have met.
For example you need to include training of internal threats at level two. This means for Level Three compliance you must demonstrate you provide this training. Explicitly spell out the this, and any required training in your Awareness and training Policy and Procedures.
For many companies beginning with the Awaress and Training domain may provide a great launching point for your CMMC Journey.
Meet CMMC Compliance through Awareness and Training
Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygiene?
Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.
Christina Reynolds co-authored this post in the guidance she provided in how to craft Awareness and Training Policy