When companies work with federal agencies, their cyberdefense becomes a matter of national security. This is especially true for companies that process federal contract information (FCI), protected by Federal Acquisition Regulation (FAR) Clause 52.203-21, or controlled unclassified information, protected by Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. For these firms, DoD cybersecurity awareness training may be necessary.
Do I Need DoD Cybersecurity Awareness Training?
The businesses that need to comply with CMMC requirements, including those for cybersecurity awareness and training, are those that want to contract with the Department of Defense (DoD). These firms that make up the Defense Industrial Base sector (DIB) are likely to process, store, or transport the specific kinds of information that DFARS and FAR require protections for.
If you hope to contract with the DoD, you’ll need to make sure your awareness and training are up to par. To that effect, this guide will break down everything else you need to know, including:
- A breakdown of what awareness and training look like in practice
- A simplified approach to implementing all needed training
Let’s get started!
CMMC Awareness and Training Requirements
The CMMC, officially titled the Cybersecurity Maturity Model Certification, is a publication of the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUS(A&S)). It’s a complex framework that addresses requirements laid out in the legal statutes named above.
The CMMC differs from other required frameworks in that it follows a tiered approach to implementation across 5 stages, called “Maturity Levels.” At each level, an organization crosses a threshold of practice implementation and process institutionalization.
Institutionalization refers to the extent to which practices are systematic, organization-wide.
At the core of the CMMC are 17 cybersecurity domains that detail 43 key capabilities DoD contractors need to comply with. These in turn break down into 171 specific cybersecurity practices. One of the domains is “Awareness and Training,” which comprises 5 specific practices organizations need to comply with, across 3 levels, to satisfy DoD requirements.
Let’s take a look at what Awareness and Training compliance looks at, per the CMMC.
Assess your Cybersecurity Awareness Training
Awareness and Training at Maturity Level 2
In the CMMC framework, Level 2 functions as a transitional stage. The focus is on preparation for full protection of CUI, which occurs at Level 3. This is reflected in the name given to its practices, “intermediate cyber hygiene,” a step between the “basic” and “good” cyber hygiene achieved at Levels 1 and 3, respectively. Level 2 introduces 55 practices for a total of 72.
The first 2 practices in the Awareness and Training domain are introduced at Level 2:
- AT.2.056 – Ensure awareness of security risks and vulnerabilities related to activities and responsibilities, as well as applicable rules, standards, best practices, for all system administrators, managers, and all other users of the organization’s systems.
- AT.2.057 – Implement regular training to ensure adequate security practices for all personnel entrusted with privileges or responsibilities related to protected information.
At Level 2, process institutionalization requires not just the performance of practices (like Level 1), but also documentation thereof. That means establishing a policy that includes the practice, then documenting the specific methods, tools, etc. used to implement the policy.
With respect to Awareness and Training, you’ll need to carefully document all sessions and materials, including relevant literature and other awareness-related documents disseminated.
Awareness and Training at Maturity Level 3
Level 3 of the CMMC is dedicated to completing the protections for CUI begun in Levels 1 and 2. The practice goal of Level 3 is “good cyber hygiene.” To that end, it adds 58 more practices, the most of any level, for a cumulative total of 130. Among them, all 110 controls from NIST Special Publication (SP) 800-171 are integrated, encompassing the entirety of SP 800-171.
However, there is just 1 Awareness and Training practice introduced at Level 3:
- AT.3.058 – Provide personnel training on security awareness up to and including best practices for monitoring for, recognizing, and reporting on insider threats from other staff.
But at Level 3, organizations are also responsible for Level 2’s Awareness and Training practices. This is significant because Level 3’s process institutionalization is much more robust than that of Level 2. All 3 practices need to be performed, documented, and managed. That means there needs to be a plan and resources in place for long-term implementation.
With respect to Awareness and Training, you’ll need to implement a plan for sessions at regular intervals and allocate adequate resources to training and distribution of awareness materials.
Awareness and Training at Maturity Level 4
Level 4 of the CMMC breaks new ground, moving from the cyber hygiene practices of the first 3 levels to “proactive” cybersecurity practices. This indicates a shift away from maintenance to more forward-thinking controls that not only continue protecting CUI but also begin to anticipate and prevent advanced persistent threats (APT). There are 26 practices added for a total of 126.
Among them, the final 2 Awareness and Training practices are introduced at Level 4:
- AT.4.059 – Focus awareness training sessions and materials on APT actors, social engineering threats, suspicious behaviors, and security breaches; update training at least once per year and according to changes in the threat environment.
- AT.4.060 – Tailor training sessions to specific threats faced by the organization, including especially APT; utilize practical exercises informed by current, real-world threats, and provide feedback to trainees on accuracy and efficacy of their responses.
At Level 4, there is another significant step upward in process institutionalization. Not only must all practices be performed, documented, and managed; now, they also need to be carefully reviewed. That means regularly assessing practice implementation, analyzing efficacy, and taking corrective and proactive steps to remedy any inconsistencies or inefficiencies.
With respect to Awareness and Training, you’ll need to not just formulate a plan and allocate resources for a robust training program; you’ll also need to monitor and update it regularly.
Build the Awareness You Need with Training
When seeking compliance with the CMMC, implementing practices and attaining process institutionalization is not the final hurdle. To verify that your company is compliant and fully protecting CUI and FCI, you need to be certified by a Certified Third Party Assessment Organization (C3PAO), an organization recognized by the CMMC Accreditation Body.
Plus: the best C3PAOs, like RSI Security, can help with all stages of the process.
Our all-in-one CMMC services include robust cybersecurity advisement and construction, all leading up to certification. We’ll work with you to build the infrastructure necessary for training and awareness, including training you on how to train your staff independently. Simultaneously, we’ll help you to develop all other elements of cyberdefense across all 14 domains.
Then, when your organization is well equipped to pass the certification, it will be all but a formality.
Professional Compliance and Cyber Defense Solutions
Here at RSI Security, we know that compliance isn’t the end of cyberdefense; it’s just the beginning. That’s why our talented team of experts is ready to meet you where you are — and get you where you need to be. Whether you’re trying to map one cybersecurity framework onto another, starting out with brand new architecture, or optimizing your IT management.
With over a decade of experience providing cyberdefense solutions to companies from every sector, including countless DIB firms contracting with the DoD, we’re your first and best option. If you want to contract with the DoD, you’ll need to get certified as soon as possible. To see just how straightforward DoD cybersecurity awareness training can be, contact RSI Security today.