CMMC Practice AT.2.056
Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Bold Coast Security Guidance
Training is key! A large number of your workforce have never been told exactly what the "bad guys" are capable of how they are attempting to fool users via phone, email and text messages. Its imperative to get the message out to all of them on a regular basis so they are prepared and can spot the signs of malicious behavior.
We also recommend taking the stance of a "no blame" organization: People need to feel empowered to report it when that ARE fooled by a phishing email, etc. If they fear retribution, they will not notify anyone, and you have missed an opportunity to catch malicious behavior at the start. During your training, reinforce that idea with your users. You will also use this information to define future training needs.
DRAFT NIST SP 800-171 R2
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.
NIST SP 800-50 provides guidance on security awareness and training programs.