If you are a federal government contractor, you are preparing your organization for the Cybersecurity Maturity Model Certification (CMMC). The United States Department of Defense is moving towards the CMMC to standardize the cybersecurity requirements across the Defense Industrial Base (DIB). The goal is to ensure the federal government’s controlled unclassified information (CUI) is not at risk.
Security Awareness and Training Controls
Over the last few months, the CMMC framework has added additional controls to the base of NIST 800-171. One set of controls that this occurred within, is Security Awareness and Training.
Before, as organizations were evaluating their compliance with NIST 800-171, they had to confirm that they were in compliance with three areas within Security Awareness and Training:
- General – This control validates that the appropriate personnel are aware of the risks associated with their tasks, along with the administrative controls to protect them.
- Duty Specific – This control verifies that the personnel are trained appropriately for their tasks and the possible security risks.
- Insider Threat Awareness – This control ensures Security Awareness Training, including Insider Threats, is provided to everyone in the organization.
The New CMMC Controls
As the CMMC is starting to take over as the framework of choice for the Defense Industrial Base, three additional controls were added to the previous set:
- Establish Policy – This new control requires organizations to implement a policy that includes Security Awareness and Training.
- Document Practices – This new control requires organizations to document the process of implementing the training.
- Manage – This new control requires organizations to maintain a resource plan and historical report of training being performed.
What the New Controls Mean
The addition of the three controls for the Security Awareness and Training family verifies that the organization has implemented a formal training program, moving from the ad-hoc approach that NIST 800-171 verified. In the past, it was fine for your organization to just have a training program. Under the CMMC, your training program needs to be formalized with executive approval and historical data showing that it was implemented and used.
Formalizing the program ensures that the organization does not miss training requirements and verifies that the program stays current. With CMMC level 3 requirements, just having a defined training program, whether internal or externally managed, is sufficient to pass the audit. As organizations start to look at Levels 4 and 5, the controls change, requiring the end-users to have interactive training modules along with tests, which verify the users understand the content.
With a robust security awareness program, organizations can review the data from the training to determine what weak points exist within the organization, allowing for course-correcting within the training modules.
How Slate Can Help
Our team works closely with federal government contractors to prepare them for the upcoming Cybersecurity Maturity Model Certification (CMMC). We ensure federal government contractors meet or exceed all the CMMC controls, including the requirements for Security Awareness and Training.
Slate is known for providing security solutions for Federal Agencies—including implementing comprehensive security programs for maximum security organizations and U.S. intelligence agencies. Our team works closely with federal government contractors to help them prepare for the upcoming Cybersecurity Maturity Model Certification (CMMC) standards.
Slate is an approved Registered Provider Organization (RPO) within the CMMC Marketplace. This means we completed all the requirements set by the CMMC-AB Code of Professional Conduct and have been vetted to help organizations prepare for the CMMC. We are also in the process of becoming a certified CMMC Third-Party Assessor Organization (C3PAO). Our team is comprised of highly skilled, recognized, and respected professionals in the security industry. We maintain standard certifications, DoD 8570 compliance, the appropriate clearances, and continuing education to ensure the highest security of your organization.