Reference: CMMC v2.13
Family: AT
Level Introduced: 3
Title: Advanced Threat Awareness
Practice:
Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
Further Discussion:
All organizations, regardless of size, should have a cyber training program that helps employees understand threats they will face on a daily basis. This training must include knowledge about APT actors, breaches, and suspicious behaviors.
Example
You are the cyber training coordinator for a small business with eight employees. You do not have your own in-house cyber training program. Instead, you use a third-party company to provide cyber training. New hires take the course when they start, and all current staff members receive refresher training at least once a year [b]. When significant changes to the threat landscape take place, the company contacts you and informs you that an update to the training has been completed [c,d] and everyone will need to receive training [b]. You keep a log of all employees who have gone through the cyber training program and the dates of training.
Potential Assessment Considerations
• Does the organization have evidence that employees participate in cyber awareness training at initial hire and at least annually thereafter or when there have been significant changes to the threat [b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-172 Requirements vDraft (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.