>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

3.2.3Awareness and Training - Derived

Derived Requirement

>Control Description

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

>Discussion

Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices of organizations. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in behavior of team members, while training for employees may be focused on more general observations).

>Cross-Framework Mappings

CMMC

AT.L2-3.2.3
Compare

SCF

SAT-03.6
Compare
THR-05
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address awareness and training - derived for CUI systems?
  • Who is accountable for implementing and maintaining awareness and training - derived controls?
  • How frequently are awareness and training - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with awareness and training - derived requirements?
  • How are exceptions to awareness and training - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce awareness and training - derived in your CUI environment?
  • How are awareness and training - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support awareness and training - derived compliance?
  • How do you validate that awareness and training - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary awareness and training - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves awareness and training - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how awareness and training - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing awareness and training - derived compliance?
  • Can you show evidence of a recent review or assessment of awareness and training - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate awareness and training - derived compliance?

Ask AI

Configure your API key to use AI features.