Meeting Personnel Training Requirements for NIST SP 800-171 & CMMC Using Free Resources
By: Omer Kaan Aslim
October 20, 2021
The NIST 800-171 and CMMC security frameworks both have an entire domain about awareness and training. Here is how you can meet those training requirements using free resources.
What are the NIST SP 800-171 and CMMC Training Requirements?
NIST SP 800-171 3.2.1 and CMMC AT.2.056
Requirement: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
How to Meet Requirement 3.2.1 and AT.2.056
The Center for Development of Security Excellence, Defense Counterintelligence and Security Agency offers a free online Cybersecurity Awareness course. Require your information system users to complete this training when they are first hired and annually thereafter.
Another item to consider for this requirement is training on the handling of controlled unclassified information (CUI). Information system users who will be handling CUI should receive additional security awareness training. This can be accomplished using The Center for Development of Security Excellence, Defense Counterintelligence and Security Agency’s free online course titled “DoD Mandatory Controlled Unclassified Information (CUI) Training”.
NIST SP 800-171 3.2.2 and CMMC AT.2.057
Requirement: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
How to Meet Requirement 3.2.2 and AT.2.057
The DoD Cyber Exchange offers a free online course for privileged users. The course is titled Privileged User Cybersecurity Responsibilities. Require information system users with system and security administration responsibilities to complete this training when they are first hired and annually thereafter.
NIST SP 800-171 3.2.3 and CMMC AT.3.058
Requirement: Provide security awareness training on recognizing and reporting potential indicators of insider threat.
How to Meet Requirement 3.2.3 and AT.3.058
The Center for Development of Security Excellence, Defense Counterintelligence and Security Agency offers a free online Insider Threat Awareness training course. Require your information system users to complete this training when they are first hired and annually thereafter.
You can also put up security awareness posters around your facility to remind employees about security best practices. The US Cybersecurity and Infrastructure Security Agency (CISA) has these posters available on its website.
Other Considerations for Meeting Training Requirements
When your employees complete the training courses they are provided with a certificate of completion, instruct the employee to email the certificate to your training manager. Store these certificates in a central repository and document employee training completion in a spreadsheet.
How to Meet Your Other CMMC & NIST SP 800-171 Requirements
Using our Compliance Accelerator app, you can perform a NIST SP 800-171 and CMMC level three assessment by simply answering easy to understand yes or now questions. The app will then calculate your Summary Level (SPRS) score. It will also generate tasks for you to implement to improve your score and meet your NIST SP 800-171 and CMMC requirements. The app will automatically generate your plan of actiona and milestones document and includes a donwloadable system security plan template. The app also includes over a dozen other IT and Cybersecurity documentation templates you can use to save weeks of research and days of typing in MS word.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance