3.2.2—Awareness and Training - Basic
>Control Description
>Discussion
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls.
Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. [SP 800-181] provides guidance on role-based information security training in the workplace. [SP 800-161] provides guidance on supply chain risk management.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What documented policies and procedures address awareness and training - basic for CUI systems?
- •Who is accountable for implementing and maintaining awareness and training - basic controls?
- •How frequently are awareness and training - basic requirements reviewed, and what triggers updates?
- •What process ensures changes to systems maintain compliance with awareness and training - basic requirements?
- •How are exceptions to awareness and training - basic requirements documented and approved?
Technical Implementation:
- •What technical controls enforce awareness and training - basic in your CUI environment?
- •How are awareness and training - basic controls configured and maintained across all CUI systems?
- •What automated mechanisms support awareness and training - basic compliance?
- •How do you validate that awareness and training - basic implementations achieve their intended security outcome?
- •What compensating controls exist if primary awareness and training - basic controls cannot be fully implemented?
Evidence & Documentation:
- •What documentation proves awareness and training - basic is implemented and operating effectively?
- •Can you provide configuration evidence showing how awareness and training - basic is technically enforced?
- •What audit logs or monitoring data demonstrate ongoing awareness and training - basic compliance?
- •Can you show evidence of a recent review or assessment of awareness and training - basic controls?
- •What artifacts would you provide to a CMMC assessor to demonstrate awareness and training - basic compliance?
Ask AI
Configure your API key to use AI features.