CMMC Domain AT
Awareness and Training
Establish a program to continuously educate your staff, vendors, and contractors about how you safeguard your data, and the threats you face.
- Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
- Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
- Provide security awareness training on recognizing and reporting potential indicators of insider threat.
- Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
- Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.