Did you know that just because sophisticated cyberattacks tend to hijack the headlines, the largest cybersecurity threat is actually human error? Most data suggests that human error accounts for over 80% of cyber related incidents. To help reduce this very real problem, CMMC requires organizations adopt and implement structured security awareness training. This involves regular updates and touchpoints for personnel at all levels. Below are the recommended organizational best practices to ensure your organization achieves and maintains compliance with the following CMMC training controls:

  • AT.L2-3.2.1 (Security Risks and Policies Awareness)
  • AT.L2-3.2.2 (Role-Specific Security Training)
  • AT.L2-3.2.3 (Insider Threat Awareness)

1. Training Categories (Initial, Role-Specific, and Recurring)

Initial / New Hire Training:

  • Audience: Managers, systems administrators, and all users.
  • Content:
    • Overview of information security policies, procedures, and standards.
    • Common security risks associated with users’ activities (e.g., phishing, social engineering, weak passwords).
    • Responsibilities related to handling sensitive information.
    • Tailored examples of how employees’ actions can introduce risks (e.g., weak passwords, unpatched software, insecure file sharing).
    • Procedures for reporting incidents or suspicious activities.
    • Insider threat indicators and reporting procedures.
  • Frequency: Conducted within 30 days of employment / role change.
  • Format: Classroom, virtual, or e-learning modules.

Role-Specific Training:

  • Audience: System administrators, IT personnel, and other key roles within the organization.
  • Content:
    • Deep dive into technical security policies, system vulnerabilities, and secure configurations.
    • Detailed training aligned with each employee’s role and access level. Such as system admin training on advanced network security, while general users get basic internet safety practices.
    • Policy-driven security tasks (e.g., patch management, log monitoring).
    • Understanding of administrative access and associated risks.
    • Incident response procedures.
  • Frequency: Annually, or upon major policy updates.
  • Format: Virtual or hands-on labs with periodic assessments.

Recurring Training:

  • Audience: All employees.
  • Content:
    • Recap of key security policies and procedures.
    • Updates on recent security threats and vulnerabilities.
    • Review of insider threat awareness, explanation of what constitutes insider threats (e.g., disgruntled employees, espionage).
    • Recognizing red flags (e.g., unusual file access patterns, sudden changes in behavior).
    • Steps to report insider threat concerns, including anonymous channels.
  • Frequency: Annually.
  • Format: Story-driven video scenarios and quizzes to reinforce detection and reporting, virtual training or self-paced e-learning.

2. Recurring Training Frequency Recommendations

Monthly Cybersecurity Awareness Updates:

  • Audience: All employees.
  • Content: Short, digestible security tips (email newsletter, intranet posts, or 5-minute micro-training).
  • Topics can include password hygiene, phishing awareness, social engineering, and secure use of devices.
  • Objective: Reinforce key security principles and keep employees vigilant.

Quarterly Security Updates:

  • Audience: All employees.
  • Content: Review of recent security incidents (internal or industry-related), new threats, and updated security procedures.
  • Objective: Keep staff updated on evolving threats and reinforce security best practices.
  • Format: Webinars, lunch-and-learn sessions, or town halls.

Bi-annual Simulated Security Exercises:

  • Audience: All employees.
  • Content: Phishing simulations, social engineering tests, and reporting drills.
  • Objective: Test employee response to real-world scenarios and measure the effectiveness of security training.
  • Format: Conducted by internal or third-party security teams.

3. Training Program Oversight & Documentation

Organizational leadership may elect to appoint a training program coordinator to provide program oversight and ensure training sessions are documented. Collecting and maintaining the following records will ensure that your training program achieves the necessary level of maturity and reach your organization requires.

  • Audit & Recordkeeping: Maintain logs of all completed trainings (dates, content covered, employee names).
  • Training Feedback: Collect employee feedback after training sessions to assess understanding and identify areas for improvement.
  • Periodic Evaluation: Evaluate the training program’s effectiveness (e.g., through mock scenarios or incident reporting analysis) and update training content as needed.
  • After each training, have employees sign off (electronically or physically) acknowledging that they understand the material and their responsibilities.

By following these best practices, organizations can ensure comprehensive coverage of the CMMC 2.0 controls, while fostering a security-conscious culture.

For assistance with your CMMC efforts, contact DTC’s C3PAO team.