What does CMMC require for security awareness?

Travis Good
July 5, 2021

The Cybersecurity Maturity Model Certification (CMMC) was developed by the United States Department of Defense (DoD) as a framework for companies providing technology and services to the DoD. The CMMC bases its methodology on a broad range of security frameworks. It includes five maturity levels in cybersecurity and domains delineating individual requirements that DoD contractors must achieve to be eligible for government contracts.

> Level 2 of the CMMC framework requires intermediate cyber hygiene, including security awareness for all employees.

Advanced maturity levels also have additional security awareness requirements.

This article addresses everything that companies want and needs to know about CMMC requirements for security awareness.

What does CMMC require for security awareness?

DoD contractors are required to implement a cybersecurity awareness training program to participate in the CMMC. Additionally, companies seeking CMMC maturity certification levels two and higher must comply with this domain’s requirements.

The CMMC defines two awareness training capabilities upon which contractors should train:

AT Capability #1: CO11 Conduct Security Awareness Activities

There are two practices for conducting security awareness activities under this CMMC capability:

Practice 1. AT.2.056: Cybersecurity AT for All Employees and Users

Cybersecurity AT practice supports users by making them cognizant of the numerous security risks connected to their work and actions. It also addresses the practices and standards of a system’s security procedures.

Further, the CMMC requires that contractors conduct annual cybersecurity AT activities. The AT program must be personalized and include the company’s policies and cybersecurity department contact information. It is not simply a matter of buying off-the-shelf security awareness content.

Practice 2. AT.3.058: Provide Security AT on Recognizing and Reporting Potential Indicators of Insider Threat

Third-party contractors that handle CUI (Control Unclassified Information) should engage in threat training and effective risk management. The training must also detect internal risk factors when it comes to identifying insider threats and actors. Additionally, it’s essential to provide training for specific roles rather than using the same training across your entire workforce.

AT Capability #2: C012 Conduct Training

This second CMMC capability requirement for security awareness consists of three practices, including:

Practice 1. AT.2.057: Ensure Companies Train People to Carry Out Assigned Information Duties and Responsibilities.

DoD contractors must conduct security training designed for system administrators, personnel, and developers. Cybersecurity team members should also obtain other security certifications to enhance results; these are more technically-focused training that come with certifications.

Practice 2. AT.4.059: Provide Awareness Training that Focuses on Recognizing and Responding to Threats while Updating the Training Annually or Where Threats Occur

Contractors must update security awareness training at least once a year or when new threats become apparent. When complying with this practice’s demands, they must perform security AT activities that concentrate on the strategies employed by APT (advanced persistent threat) actors. In this practice, companies are encouraged to go beyond basic cybersecurity practices and bolster their defenses against more sophisticated attacks.

Practice 3. AT.4.060. Include Practical Exercises in Security Awareness Training Modules

Exercises should align with the modern threat scenarios and offer feedback to those involved in the training. In doing so, they enhance a contractor’s security awareness training by incorporating activities associated with real-world threats. Also, the requirement for contractors to provide feedback ensures that they are proactive in measuring the value provided by these security awareness exercises.

How to meet the security awareness training requirements of CCMC?

1. Provide annual security awareness training to all employees

The first step to meet your CMMC compliance requirements is through an annual cybersecurity awareness training course that can either be company-wide or specific to employees working on US Federal government contracts. No matter the industry, personnel must be duly aware of the cybersecurity risks that their decisions and actions present as well as how to carry out their duties in a manner that mitigates risk. This annual training should be updated each year.

2. Customized security awareness training for your Company

In addition, security training should be linked to actual policies and procedures in a user-friendly and coherent way for clarity. The easiest way to do this, assuming you do not create all of you own security awareness content, is to create customized training as a addendum or add-on to the general security awareness training referenced above.

3. Provide risk-focused security training

Training should include, and maybe even have a focus, on risk assessment, management, and mitigation. This is required for those handling CUI, which is significantly more vulnerable to “insider” actions, whether intentional or otherwise.

4. Enhanced training for technical employes

In order to meet Practice 3. AT.4.060, you should either provide or enable your technical employees to have access to technical security training. This is training that is not relevant to your entire workforce but focused on technical aspects of security awareness.

5. Compliance with Level 4 includes Security Awareness Training Against APT

DoD data, and those contractors that process and store it, can be targets of more sophisticated threat actors. The goal of targeted APT training is to increase employees’ awareness of how to detect and report APTs, and what clues (i.e., indicators of compromise) APTs might leave behind that they may see.

6. Provide a feedback mechanism

For each conducted training, all learners should have access to a means to provide feedback of the training. This feedback can take many forms. Regardless of how the feedback is collected, it should be reviewed and retained.

7. Documentation to prove the above 5 are in place

Lastly, obtaining the maturity required to pass a CMMC examination also includes collecting and presenting evidence that demonstrates effective and efficient controls are executed. Retain records while conducting security awareness training to demonstrate to an auditor how often the company completed these training activities, what was covered (keep content), who attended, how they were evaluated, and what results were achieved.

How to Integrate Security Awareness Training Policies with the CMMC

Policies and procedures should be supplemented and supported by regular awareness training. Most security awareness topics should be contained in formalized agreements and policies, but some companies may also want to package the information in plain language outside of policies and procedures.

The goal for security awareness, whether for CMMC or any company, should be to integrate it into work and culture. Bolting security awareness programs onto your compliance program simply to check the box is not sufficient. Frameworks such as CMMC show a clear trend to more complete, continual, and dynamic security awareness.

Final Thoughts and Considerations

Security awareness training is an essential component for the CMMC. CMMC Level 2 or higher compliance is a good goal for companies aspiring to have DoD customers. This result translates into landing more contracts and achieving better results. Don’t forget to update your training policies and manuals to reflect the CMMC requirements and to ensure your workforce understands why CMMC matters for your company.