CMMC Practice Requirement:

Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

CMMC Requirement Explanation:

The vast majority of cyber attacks are caused by human error. Security awareness training helps reduce the chance of cyber attacks resulting from human error. An example of a human error is when a user downloads an attachment from a malicious email.

Example CMMC Implementation:

Provide security awareness training to your employees and persons using your systems. Security awareness training can be given via instructor or online training. Security awareness training should cover important security policies and common cyber threats. Occasionally send security awareness/tip emails to employees.

Scenario(s):

- Scenario 1:

Example:

Your company requires all its employees and system users to complete annual security awareness training. It accomplishes this by having personnel take the online DoD "Annual Security Awareness" refresher. Personnel who complete the training receive a certificate of completion. Every employee is responsible for providing their certificate to your security officer.
The DoD Annual Security Awareness Refresher
The DoD Annual Security Awareness Refresher
 

Discover Our NIST SP 800-171 Solutions:

/assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
Learn More
/assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
Learn More
/assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance
Learn More