>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.2.1Awareness and Training - Basic

Basic Requirement

>Control Description

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

>Discussion

Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security.

Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events. [SP 800-50] provides guidance on security awareness and training programs.

>Cross-Framework Mappings

CMMC

AT.L2-3.2.1
Compare

SCF

HRS-04.2
Compare
SAT-02
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address awareness and training - basic for CUI systems?
  • Who is accountable for implementing and maintaining awareness and training - basic controls?
  • How frequently are awareness and training - basic requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with awareness and training - basic requirements?
  • How are exceptions to awareness and training - basic requirements documented and approved?

Technical Implementation:

  • What technical controls enforce awareness and training - basic in your CUI environment?
  • How are awareness and training - basic controls configured and maintained across all CUI systems?
  • What automated mechanisms support awareness and training - basic compliance?
  • How do you validate that awareness and training - basic implementations achieve their intended security outcome?
  • What compensating controls exist if primary awareness and training - basic controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves awareness and training - basic is implemented and operating effectively?
  • Can you provide configuration evidence showing how awareness and training - basic is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing awareness and training - basic compliance?
  • Can you show evidence of a recent review or assessment of awareness and training - basic controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate awareness and training - basic compliance?

Ask AI

Configure your API key to use AI features.