The US military and its broad network of businesses and individual contractors comprise the most critical infrastructure in the entire country. Any threat to the Department of Defense (DoD) resources and information could jeopardize all Americans’ security, both domestically and abroad.
That’s why everyone within the military and all DoD contractors need to maintain stringent security standards, and DoD information assurance awareness training is just one required component. Read more to learn all about it.
Basics of DoD Information Assurance Awareness Training
Companies that can lock down coveted “preferred contractor” status become eligible for lucrative opportunities both in the near and long term. To become eligible, these companies need to comply with various cybersecurity frameworks, such as the NIST SP 800-171 and CMMC. Both frameworks translate Defense Federal Acquisition Regulation Supplement (DFARS) requirements for data training and other areas into appropriate controls, keeping you on the same security level with the DoD.
This blog will break down all you need to know about DoD training for yourself and third-parties:
- What DoD information assurance awareness training comprises and who needs training
- Relevant awareness assurance training specific requirements in the NIST framework
- Other information awareness and assurance practices in the CMMC framework
By the end of this guide, you’ll know what your company’s awareness goals should be, the specific DoD stakeholders’ goals, and the resources to get started.
What is DoD Information Assurance Awareness Training?
DoD Information Assurance Awareness Training comprises various baseline and special interest training programs offered to, and required of, military personnel. It’s codified in DoD Directive (DDoD) 8570.01-M, “Information Assurance Workforce Improvement Program,” first published in 2005 and updated most recently in 2015. Training for military personnel is near-exclusively developed or informed by the Defense Information Systems Agency (DISA).
Information awareness assurance training is tailored to specific branches of the military. Also, individual units within a given branch may implement unique modules and programs relative to their particular cybersecurity environment, personnel, strengths, and potential risks or threats.
According to one 2013 US Army Stand-To directive, the need for Information Assurance (IA) and Cybersecurity Awareness training is directly related to increasing cybercrime threats, which have escalated in recent years. It identifies training requirements for a then-new program to train all US military members on the threats to information directly or indirectly related to defense.
Who Needs DoD Information Assurance Awareness Training?
DDoD 8570.01-M requires IA and related training for military personnel with direct access to sensitive forms of information systems (IS). IS are systems that connect to, process, store, or otherwise come into contact with “covered defense information.” Per DFARS, this category mainly comprises controlled unclassified information (CUI), including but not limited to:
- Defense-specific Controlled Technical Information, related to nuclear weapons and more
- Technical data pertinent to critical infrastructure, like natural and cultural resources, etc.
- NATO-restricted data pertinent to the North Atlantic Treaty Organization (NATO)
- Documents and reports constituting other International Agreement Information
- Relevant legal, law enforcement, and imigration documentation and records
The parties for whom IA training is most critical and closely monitored and enforced are managerial and administrative staff, especially those involved in IT departments. But some form of IA training is required for nearly all military personnel, as they are all likely to come into contact with these information types. Critically, the same is true for most DoD contractors.
Who Else is Impacted by DoD Stakeholders’ Assurance Awareness?
Internal managers and other staff employed by the military are not the only individuals whose awareness needs to be assured through training. Through different means, the DoD requires similar levels of training and awareness for all contractors it trusts with sensitive information.
Companies working with and for the DoD as contractors make up what the Cybersecurity and Infrastructure Security Agency (CISA) has defined as the Defense Industrial Base (DIB) sector. This sector comprises over 100,000 companies and subcontractors worldwide, according to a recent CISA estimate, and represents nearly every industry involved in research and development, design, manufacturing, and distribution of critical military supplies, products, and services. In other words, it’s the lifeblood of the DoD.
Every person involved in the DIB sector — including all personnel and stakeholders at DIB companies — is impacted by DoD information assurance awareness training in one way or another. One primary way in which this impact is felt is through analogous awareness training required for all DIB stakeholders through mandatory compliance requirements.
Relevant NIST SP 800-171 Awareness Assurance Requirements
As noted above, one requirement for DoD preferred contractor status is compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, or “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This regulatory framework tailors baseline requirements and best practices from other compliance guides, like the NIST Cybersecurity Framework (CSF), to DoD contractors’ specific needs and means.
NIST SP 800-171 comprises 110 “Requirements,” or cybersecurity controls, that organizations must implement. These are distributed across 14 unique “Requirement Families,” each of which corresponds to a specific cybersecurity area or domain. One relates directly to Information Awareness Assurance requirements for the DoD, and this Requirement Family only has three distinct Requirements.
NIST SP 800-171 Awareness and Training Requirement Family
In the NIST SP 800-171 framework, three Requirements are directly related to awareness assurance, housed within the “Awareness and Training” Requirement Family. Two of these are “Basic,” and the other one is “Derived.” Their specifications and suggested implementation are:
- 3.2.1 (Basic) – Ensuring all managerial and administrative staff, and all users with privileged access, are aware of risks related to their regular duties and responsibilities.
- Implementation suggestions include formal training exercises, dissemination of literature, logon screen messages, and email-based and communication-based assessments.
- 3.2.2 (Basic) – Ensuring all personnel (especially those named above) are prepared to carry out specific responsibilities related to their awareness of security requirements.
- Implementation suggestions focus on dynamic training and workshop modules based on role-play exercises informed by or utilizing actual threat intelligence.
- 3.2.3 (Derived) – Ensuring personnel are aware of and equipped to identify, report, and take other appropriate measures to mitigate insider risks, threats, and vulnerabilities.
- Implementation suggestions focus on communications strategies and tactics highlighting insider threats specific to individual employees’ particular roles.
Implementing these Requirements is critical to a successful NIST SP 800-171 assessment, leading to a “high confidence” in your company’s internal security practices. This is one major requirement for DoD contracts status, but it will soon not be enough for “preferred” status. This is where RSI Security can help. Our expert team offers a suite of NIST SP 800-171 advisory services to facilitate full NIST implementation.
Relevant CMMC Awareness Assurance Domains/Practices
The other major requirement for future DoD preferred contractor status is currently still in an initial rollout phase. The DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S) has compiled various NIST and other frameworks together into a single, omnibus framework called the Cybersecurity Maturity Model Certification (CMMC).
Using the NIST SP 800-171 as one primary source text, the CMMC framework comprises 17 cybersecurity “Domains,” which house a total of 43 “Capabilities,” for general purposes. The Capabilities are accomplished by implementing 171 distinct “Practices,” which are analogous to the NIST SP 800-171 Requirements. “Process Maturity” goals also measure the extent to which Practices are institutionalized.
The CMMC is unique from NIST SP 800-171 in that it allows its Practices to be gradually adopted across five distinct “Maturity Levels.” Their respective focuses and goals include:
- Maturity Level 1 – This level focuses on protecting Federal Contract Information (FCI), with 15 Practices constituting “basic cyber hygiene” and the Process Maturity goal “performed.”
- Maturity Level 2 – This level focuses on preparing for CUI protection (Level 3), with 55 Practices constituting “intermediate cyber hygiene” and the Processes Maturity goal “documented.”
- Maturity Level 3 – This level focuses on completing full FCI and CUI protection, with 58 Practices constituting “good cyber hygiene” and the Process Maturity goal of “managed” (actively).
- Maturity Level 4 – This level focuses on shifting attention to Advanced Persistent Threat (APT) protection, with 25 “Proactive” Practices and the Process Maturity goal “reviewed.”
- Maturity Level 5 – This level focuses on finalizing all safeguards for FCI, CUI, and APT, with 17 “Advanced/Progressive” Practices and the Process Maturity goal of “optimizing.”
CMMC controls related to DoD Information Awareness Assurance Training spread across two Domains, with Practices spanning Maturity Levels 2, 3, and 4 — let’s take a closer look at them.
CMMC Awareness and Training Capabilities and Practices
There are two Capabilities housed within the “Awareness and Training” Domain of the CMMC: “Conduct security awareness activities” and “conduct training.” These are fleshed out across five Awareness and Training Practices, and the first two are added at Maturity Level 2:
- AT.2.056 – This requires that all administrators and other users with privileged access to sensitive information are made aware of all relevant risks and responsibilities.
- AT.2.057 – This requires that measures be put in place to ensure all administrators and users uphold information security responsibilities established in training activities.
Then, there is one Awareness and Training Practice required at Maturity Level 3:
- AT.3.058 – This requires specific training modules or other practices to establish staff-wide awareness of threats and responsibilities related to insider threats and vulnerabilities.
Finally, there are two Awareness and Training Practices required at Maturity Level 4:
- AT.4.059 – This requires specific training modules and other awareness-building activities related to APTs like social engineering and complex breaches. Training modules must be updated at least annually.
- AT.4.060 – This requires active, dynamic training sessions focused on current threat activity and actual recent attacks identified within peer or local organizations.
Implementing these Practices to the Process Maturity goals of “documented,” “managed,” and “reviewed” for Maturity Levels 2, 3, and 4, respectively, are critical for awareness assurance.
CMMC Situational Awareness Capabilities and Practices
Moving beyond the baseline Awareness and Training controls, the CMMC framework dedicates a domain to “Situational Awareness,” which is tailored to the company’s own position. There is one Capability housed within Situational Awareness called “implement threat monitoring,” which is accomplished through three Situational Awareness Practices, beginning at Maturity Level 3:
- SA.3.169 – This requires receipt, confirmation, analysis, processing, and distribution of security information relevant to the company from various local and national sources.
The two Situational Awareness Practices required at Maturity Level 4 include:
- SA.4.171 – This requires the establishment and maintenance of a “cyber threat hunting” apparatus to mobilize threat intelligence in search of risks or vulnerabilities to mitigate.
- SA.4.173 – This requires the design, implementation, and maintenance of resources to compile and share information about indicators of compromise with all stakeholders.
Implementing these Practices to the Process goals of “managed” and “documented,” along with the AT Practices above, is critical to reaching the DoD’s required thresholds for awareness. To help companies build cybersecurity architecture up to CMMC specifications and complete their assessments for compliance, RSI Security offers a suite of CMMC advisory services.
DoD Awareness Assurance, Training, and Compliance
Here at RSI Security, we understand how critical compliance is for DoD contractors — but we also know that compliance is not the end of cybersecurity, just the beginning. Our talented cybersecurity team has provided managed IT and security services to companies of all industries and sizes for over a decade, helping protect the DIB sector and other critical infrastructures.
To recap from above, DoD information assurance awareness training is a critical program that is designed to ensure uniform and optimal cybersecurity awareness across all DoD personnel and stakeholders. Similar requirements exist for companies currently or hoping to work with the DoD as preferred contractors. Both the NIST and CMMC compliance frameworks have controls built in to inform training protocols. To ensure your cybersecurity framework is up to spec, contact RSI Security today!