CMMC Practice AT.4.059

Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

Source

CMMC Version 1.02, pg. 108

Bold Coast Security Guidance

CMMC defines this a Level 4 practice, but it should really be part of all levels. Security training which includes specific examples, such as screen shots of phishing emails received by the organization, will keep your audience more engaged and will better inform them about what types of threats are "in the wild" today. Once you have established that baseline, you can forward sanitized screen-shots of additional samples to keep your staff up-to-date with the newest attack vectors. To measure the effectiveness of your training, consider using outside firms to send sample phishing emails to your staff. They will measure how often staff click on the bogus links or attachments and give you concrete evidence of how well your training is working, or specific areas your staff need more guidance on.

Discussion From Source

DRAFT NIST SP 800-171B One of the most effective ways to detect APT activities and to reduce the effectiveness of those activities is to provide specific awareness training for individuals. A well-trained and security aware workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code injections via email or the web applications. Threat awareness training includes educating individuals on the various ways APTs can infiltrate into organizations including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in non-secure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving.

References