Cybersecurity Maturity Model Certification (CMMC) includes a list of controls that dictate training requirements for relevant employees: the Awareness and Training domain. Organizations Seeking Certification (OSCs) may harness the power of definition in some cases to define their own training requirements, but in others, the granular demands of the standard are shrouded in NIST-speak. Companies that have not provided adequate training, or who misunderstand the requirements as stated by NIST, face the challenge of identifying and delivering appropriate training within the assessment closeout period—or risk failing to attain a certification.
Below I unpack four key training considerations for CMMC, in an effort to shed light on exactly what NIST and the DoD are asking of DIB companies in this area.
Train on your own policies.
AT.L2-3.2.1 states OSCs must: “Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.”
This control is broken down into several assessment objectives (AOs). The AOs crucial to this discussion are 3.2.1[b], “policies, standards, and procedures related to the security of the system are identified” and [d], “managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.”
What this set of AOs indicates is that generic training on risks and security best practice is not enough. You must train employees on your company’s policies and procedures. If you cannot prove your training process includes specific references to your documentation stack, then the 3.2.1 control set will be marked “NOT MET” by a Certified CMMC Assessor (CCA).
Insider Threat training can be generic.
AT.L2-3.2.3 requires OSCs to: “Provide security awareness training on recognizing and reporting potential indicators of insider threat.”
Unlike the control discussed above, generic training is sufficient in this instance. The DoD’s free Insider Threat offering is an affordable and acceptable means of meeting this control.
Remember your FSO may only train employees with security clearances.
Most organizations seeking a Cybersecurity Maturity Model Certification will already have an FSO. In our experience, companies with an FSO are wont to point to the training delivered by the FSO to employees with security clearances. If this is your chosen method, be sure to cross reference your organization’s list of employees with security clearances with the individuals who process or handle CUI, or who perform crucial security functions. Oftentimes the two lists do not match, and this can lead to gaps in training for key staff members.
In summary, it is unlikely your FSO provides training to every employee who will need CUI and Insider Threat training, so plan to address these gaps accordingly.
DoD CUI Training requirements are nuanced.
There is some discussion in the Certified CMMC Assessor (CCA) community about whether or not the DoD’s Free CUI Training is a requirement for all OSCs. It is our recommendation that providing or requiring this training for employees who process or handle CUI is best practice. However, the training is only a requirement for contracts that include the DoDI 5200.48 as an additional contract requirement.
Conclusion
The above training considerations are not exhaustive, but serve as a road map for OSCs to build understanding of the Awareness and Training AOs contained in NIST SP 800-171r2, and to begin fleshing out their key training activities.