CMMC Practice AT.4.060

Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.


CMMC Version 1.02, pg. 109

Bold Coast Security Guidance

This practice is a bit redundant to attaining Level 4 compliance with AT.4.059, which required you to measure the effectiveness of your training specific to recognizing current threats such as suspicious emails. Codified here, you will need to draft a policy and plan to implement staff testing with real looking phishing samples. We recommend you send out a batch BEFORE you start training staff, and another batch after you train staff, to evaluate how your training worked. You should then send them out at irregular time periods. This will allow you tp understand how well your staff is retaining the information you provided, while also keep staff on their toes for bogus emails! Additionally, phishing email exercises that provide immediate feedback to the user ("Oops! You shouldn't have clicked that link!") are usually more effective training methods.

Discussion From Source

DRAFT NIST SP 800-171B (MODIFIED) Awareness training is most effective when it is complemented by practical exercises tailored to the tactics, techniques, and procedures (TTPs) of the threat. Examples of practical exercises include no-notice social engineering attempts to gain unauthorized access, collect information, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links . Rapid feedback is essential to reinforce desired user behavior. Training results, especially failures of personnel in critical roles, can be indicative of a potential serious problem. [Modified only to remove requirement to notify supervisors from NIST SP 800-171B 3.2.2e].