CMMC Weekly Series #9
Posted on June 12, 2020 by Christopher Bukowski, Esq.
Awareness and Training
Among the simplest CMMC Domains (i.e., families) and yet one of its most important is the Awareness and Training Domain. As the old adage goes, a chain is only as strong as its weakest link, so it is true for the whole CMMC framework.
Personnel have always had the greatest potential for ensuring the strongest security posture of an organization’s networks and systems but also have the greatest potential for causing the most harm to an organization’s security posture.
It is precisely due to awareness and training (or a lack thereof) that an organization’s personnel can become its greatest asset or its weakest link and greatest foe in the protection of its systems, even if unwittingly. As noted on the EC-Council’s website:
“The lack of awareness or negligence regarding cybersecurity among staff can lead to dramatic consequences for the organization….two-thirds (i.e., 66%) of security breaches are a result of employee negligence or malicious acts…External threats patiently lure insiders as a host in revealing the sensitive data of organizations. According to IBM’s 2018 X-Force Threat Intelligence Index, over two-thirds of total compromised records point to inadvertent insiders – employees who leave an easy entry point (by mistake) for cyber attackers to exploit the resources of the organizations. To do so, cybercriminals use social engineering methods to exploit the cyber vulnerabilities of organizations.”
Given these statistics, an organization’s best return on investment (ROI) when it comes to preventative measures used to protect its network, systems and information from being damaged, lost or otherwise exploited may very well be simply providing and maintaining a robust and thorough awareness and training program for its personnel.
In performing a risk analysis of the potential threat and vulnerabilities to a system’s integrity or potential compromise, where the threat (the potential for something harmful to happen, e.g., malicious actors) multiplied by the vulnerability (a weakness that can allow the threat to cause harm, e.g., untrained and untrained employees) equals the risk level (the proportional potential of a threat exploiting a vulnerability and its overall impact on the organization if it does), we can see that an ever increasing adversary ready to exploit 66% of an organizations unwitting personnel in order to compromise the organizations most precious assets (its systems, networks and information) is a huge risk level that needs to be addressed and mitigated.
It may take relatively nominal time and money to create such a program and then subsequently maintain it, but the cost of doing so typically far outweighs the cost of a compromise that could have been prevented by initiating such a program. Even if Awareness and Training were not a CMMC requirement, prudence dictates having a thorough and up-to-date program for any organization proportionate to the type and sensitivity of the information they retain (this could include Personally Identifiable Information (PII), Credit Card Information, Financial Information, Healthcare Information, Educational Information, Proprietary or Confidential Information, For Official Use Only (FOUO), Controlled Technical Information (CTI), Covered Defense Information (CDI), Controlled Unclassified Information (CUI), etc.). Even if an organization didn’t hold any type of sensitive information (which most do now in some way, shape or form), having an Awareness and Training program can help prevent their own systems from being damaged or otherwise compromised and may even help protect against their systems being used as a bot to harm others. Another good article on the effect of Human Error and steps implemented to address and overcome those errors can be found on Harvard’s Business Review: Cybersecurity’s Human Factor: Lessons from the Pentagon.
It would be tantamount to having a house full of your possessions, some of which have significant financial and/or sentimental value, and then telling the other residents of the house where the hide-a-key is hidden outside (or, alternatively, the code to the deadbolt) without providing further instruction. Eventually, at least one of those individuals (kids, spouse, etc.) will tell someone else where that key is (or what that code is) in order to get in the house for something (e.g., a friend, a neighbor, etc.), which may very well compromise the security of your home in the future. Not only should the code or location of the key be sophisticated enough to elude total strangers (e.g., similar to hardening systems and protecting networks from random sniffers, hackers, etc.) but the actual residents of the home should be given specific instructions about the use and secrecy of the code or location of the key.
This leads us to one of the principal methods by which the human element of any organization can inadvertently compromise organizational systems: social engineering. This can be through simple and somewhat crude methods such as phishing attacks or whaling attacks (e.g., emails received attempting to deceive the recipient and manipulate them into such things as clicking links allowing malicious software in, providing Personally Identifiable Information or Financial Information, or otherwise sensitive organizational information, etc.). But social engineering can also be extremely sophisticated involving adversaries meeting with and even befriending unknowing personnel in order to extract information (e.g., the type of stuff you see in spy movies such as Mission Impossible). Though probably not as glamorous as depicted, it is a true possibility and concern.
Other means by which personnel might inadvertently compromise an organization’s system include the use of poor passwords or password retention (e.g., writing down the password next to your computer, etc.), poor understanding of procedures (e.g., allowing someone who has “forgotten” his/her access card into the building by using their own access code rather than following the proper procedures, etc.), being oblivious to one’s surroundings when handling sensitive information (e.g., not proactively protecting computer screens when sensitive information is displayed, leaving the information wide open for extraction via shoulder surfing, etc.), not understanding the reasoning and value of accessing systems via VPN when working remotely, and the list goes on.
As the CMMC Domain for Awareness and Training (AT) suggests, there are 2 primary components to getting personnel up to speed and not only what is required, but also why. The “why” is a huge factor in a successful program as without the “why” personnel may not understand the gravity of certain actions or inactions and consequently ignore them.
Awareness is primarily meant to change a user’s behavior, providing the reasoning why these requirements are important and how to implement the requirements in a practical application. For this I would suggest a robust and comprehensive training program for personnel, both initially (when first hired) and annually thereafter, keeping them fresh on the topics and new concerns in the cybersecurity industry.
The CMMC Framework addresses Conducting Security Awareness Activities at varying levels in the framework, with higher levels being more and more intricate.
Level 2 requires somewhat basic awareness training at the administrative and managerial level as to potential risks and the policies and procedures addressing these risks:
AT.2.056: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Level 3 goes even further, also requiring insider threat training for the organization’s personnel:
AT.3.058: Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Level 4 provides for the most robust awareness training program focusing further on social engineering, suspicious behavior, etc. and providing for practical exercises addressing current threats:
AT.4.059: Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
AT.4.060: Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals in the training.
Training is primarily meant to provide personnel with a skillset. For this I would suggest, among other things, internal training for these skillsets, as applicable to the individual organizations specific infrastructure and needs, and also, a step further, requiring that individuals obtain objective 3rd party training, education and/or certificates with Continual Education requirements, such as CompTIA’s Security+ or Network+ or ISC2’s CAP or CISSP. The DOD has similar requirements for personnel that will be working with DOD systems found in DOD 8570.01-M .
As noted in the CMMC Framework addressing Security Training at Level 2:
AT.2.057: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
If you are a DOD contractor, you are probably already accustomed to awareness and training requirements to one extent or another. Between requirements found in regulations such as the FAR, DFARS, NISPOM and contractual requirements found in contracts, DD254’s, etc., you likely have some level of required training for personnel and leadership (usually more extensive) and also an awareness and training program for your organization.
For Instance, here at Blue Mantle Technology, we address all awareness and training required of us and then go above and beyond in order to best prepare our personnel for a security-based approach. We have a robust training program that begins with initial training when personnel are onboarded and continues annually thereafter. In addition, persons in key management positions are required to fulfill additional training in order to accommodate those roles, e.g. Facility Security Officers (FSOs) are required to complete an FSO curriculum for Possessing facilities, Insider Threat Program Senior Officials (ITPSOs) are required to fulfill a full ITPSO curriculum, etc.
Our awareness training program consists of a comprehensive list of required training courses and exercises, including a periodic meeting and overview of slides containing company and industry security policies and procedures, periodic briefings, periodic luncheon movies (e.g., the FBI has a some great movies related to security and insider threat , etc.), games and exercises about security (e.g., capture the flag, the DCMA CDSE website has a number of fun games for personnel that is also security oriented ) among other things.
A sample of the specific security course certificates we require annually can be seen below (initial training is even more expansive than this) and covers all CMMC requirements (and more, including regulatory and contractual requirements, etc.):
1. Cyber Awareness Challenge
2. Suspicious Emails
3. Phishing Awareness
4. Portable Electronic Devices (PED) and Removable Storage Media
5. Smart Phones and Tablets
6. Social Networking and Your Online Identity
7. Introduction to Physical Security
8. Identifying and Safeguarding Personally Identifiable Information (PII)
9. OPSEC Awareness
10. Insider Threat Awareness
11. Threat Awareness and Reporting Program (TARP)
12. Counterintelligence Awareness and Reporting
13. Counterintelligence Awareness Security Brief
14. Level 1 Antiterrorism Awareness
15. Controlled Unclassified Information (CUI)
17. Marking Classified Information
18. Derivative Classification
19. Safeguarding Classified Information
20. Transmission of Classified Information
Many of these courses, if not all, can be found for free on the DCSA websites in STEPP and CDSE (including games, videos, toolkits, etc.) as well as JKO , ALMs , DOD Cyber Exchange , Navy , etc.
Regarding Training for a skillset beyond just awareness training, we require all our personnel to have the appropriate security related training in accordance and in proportion to their specific roles at the company, including having our cybersecurity personnel obtain and maintain the required cybersecurity and Computer Environment (CE) certifications. However, we apply this requirement to all full-time personnel, regardless of duties and whether they will actually be working on DOD systems, (this includes Project Managers, Operations and Administrative personnel). In other words, all BMT personnel must complete sufficient training culminating in a DOD 8570.01-M cybersecurity certification and relevant CE certificate. Furthermore, we highly encourage our personnel to obtain relevant security certifications that are not in the DOD 8570.01-M such as the CIPP , ISP , etc.
In conclusion, I would suggest, at a minimum, organizations strive to achieve CMMC Level 4 for Awareness (i.e., AT.4.059 & AT.4.060), including the training covered in lower tier levels (i.e., AT.2.056 & AT.3.058) and also the Level 2 Training (i.e., AT.2.057), even if they are not specific requirements applicable to the organization. Many, if not all of these are best practices in the industry and could save the organization significantly more down the road in lost data, broken systems, liability, bad PR, regulatory fines, etc. It just adds up to common “cents” now in lieu of lost “dollars” down the road.