Guide to Insider Threat Awareness Training for NIST SP 800-171 & CMMC

According to the NIST glossary, an insider threat is “the threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.”

What makes an insider threat dangerous is that they already have access to your organization's systems and data. Depending on their level of access and assigned privileges they can easily exfiltrate sensitive data, install malware, and physically damage equipment. One of the ways the NIST SP 800-171 family of security controls seek to counter insider threats is by training employees in identifying them.

NIST SP 800-171 and CMMC control 3.2.3 requires that you “Provide security awareness training on recognizing and reporting potential indicators of insider threat.”

Perhaps the easiest way to meet the insider threat awareness for NIST SP 800-171 and CMMC is to use the relevant “Insider Threat Awareness” e-learning course available from the Center for Development of Security Excellence (CDSE).

According to CDSE, “the course provides a thorough understanding of how Insider Threat Awareness is an essential component of a comprehensive security program. With a theme of, "If you see something, say something" the course promotes the reporting of suspicious activities observed within the place of duty. Using a few case study scenarios, the course teaches the common indicators which highlight actions and behaviors that can signify an insider threat. The instruction promotes a proactive approach to reporting suspicious activities.”

You should require personnel with access to your information system to complete the course. Collect their certificates of completion to keep in your organization’s training records. NIST SP 800-171 doesn’t specify how often your information system users should complete the training, but a refresher every year or two is probably a good idea.

Personnel need to be informed about who to report insider threats to. You should designate a person from executive management to receive reports of insider threats and then send an email out to information system users describing what an insider threat is and include the contact information for reporting an insider threat.

If you want to learn more about insider threats, check out our blog post on the signs an employee may be an insider threat.