If your organization is working toward Cybersecurity Maturity Model Certification (CMMC), then you will eventually come across the sections dealing with cybersecurity awareness, training and personnel security (sections 3.2 and 3.9 of NIST 800-171).
When working through these sections, there’s a surprising amount of information you’ll want to keep in mind—and some best practices to follow. We’ve got all the details here, so let’s dive in!
Table of Contents:
The Implications of CMMC Moving to DoD
What You Need to Know About this Part of CMMC
3.2.1 Family Controls
3.2.2 Role-Based Security Training
3.2.3 Insider Threats
3.9 Personnel Security
3.9.2 Terminations and Transfers
Don't want to read the article? Watch the full recording below.
Be sure to register here for the Cybersecurity for the Rest of Us webinar series!
The Implications of CMMC Moving to DoD
The CMMC program has moved to the Department of Defense and falls under the Chief Information Officer. This means more organizations will have to get a CMMC Assessment after all.
In the past, you were allowed to self-attest at Levels One and Two. But at Ntiva, we recommend you keep operating under the assumption that you are going to get audited at some point.
If you get lucky enough to go after a contract that doesn't require an audit, congratulations. But you will still need to attest that you're in compliance: You must demonstrate you have all the security you need in place, just as if you were being audited.
At a town hall in February 2022, David McKeown (Deputy DoD CIO) said all 80,000 companies are going to require third-party assessments. “Unfortunately, it looks like pretty much everybody falls into the category of either being a clear defense contractor or having some critical industry tie, that pretty much all of those are going to end up being very important CUI,” said McKeown.
What You Need to Know About This Part of CMMC
With CMMC, Awareness and Training fall under section 3.2, with Personnel Security falling under section 3.9. There are five things to consider across these two areas:
- 3.2.1 – Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
- 3.2.2 – Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
- 3.2.3 – Provide security awareness training on recognizing and reporting potential indicators of insider threat.
- 3.9.1 – Screen individuals prior to authorizing access to organizational systems containing CUI.
- 3.9.2 – Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
This is deceptively basic language. If you simply read statement 3.2.3, for example, it’s vague: “3.2.3 – Provide security awareness training on recognizing and reporting potential indicators of insider threat.” What does that mean specifically? Can you just take a simple security awareness training once a year and then check this item as completed?
We all know there's a lot more work involved. So, let's look at some of the individual practices.
3.2.1 Family Controls
3.2.1: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
It seems straightforward: Make people aware of the risks. However, if you look deeper, you find out the CMMC framework allows organizations to determine their own training frequencies. This can be a bit of a problem, because if you’re not in line with what DoD or any other federal agency does, you may have to change your policies and procedures once you go to the audit.
Do awareness training during onboarding
For this reason, we recommend something that is standard across almost all DoD and federal government departments and agencies—security awareness training during onboarding, right after someone is hired.
This can be done remotely before the employee starts, or in-office on their first day. Either way, the employee does not gain access to email accounts or any other systems until they’ve completed the training and provided you with their certificates.
Do refresher training at year-end
One-and-done is fine for some trainings, but not cybersecurity. Initial security awareness training should be followed by refresher training a year later. So, depending on your contract dates, depending on federal government requirements or DoD requirements, you could set your annual training to whenever you want. Some organizations choose to bundle it with their regular annual training, while others (like Ntiva) typically conduct this training in early Q4 every year.
Implement ad hoc refresher security training
You can also insist on retaking training if there's a user who has a security incident, such as clicking on a link in a phishing email. (Any security gaffe by a user can trigger a re-training, if you want to make that your process.) This repeated training not only makes your organization safer, it emphasizes to employees how seriously you take cybersecurity.
Publish a formal policy on training and awareness
Tell staff what your expectations are, where to go to get the training, when the training should be completed, and so on. This policy should be right alongside your employee handbook—and close to every manager’s hand—so anybody who joins your organization has easy access to it and knows where to go to get this information.
Create a training repository
Depending on the size of your organization, you may consider creating a training repository. Keep in mind, however, administration and recordkeeping can be a challenge—and it’s crucial to ensure all certificates are signed, dated and correct, whether in a ledger system or via some other record keeping method.
Other awareness tools
Don’t keep security out of sight and out of mind. Internal communications tools like posters, printed swag, email newsletters, threat reports and daily group chat reminders are all excellent ways to keep cybersecurity top of mind. Another smart tactic is the use of logon banners and warnings. This is fairly common practice in the federal government: Before you can put your username and password into any government-supplied equipment, you must click OK to that warning banner.
3.2.2 Role-Based Security Training
3.2.2: Ensure that personnel are trained to carry out their assigned information-security-related duties and responsibilities.
This one is overlooked by most organizations, to be frank. The type of training referenced here goes above and beyond the annual security awareness training we just discussed and into role-based security training—additional training that's specific and targeted at an employee's roles and responsibilities.
This type of training is also normally done annually and is really for anyone who's changed roles within the company, anyone who's taking on a new role, and anyone who has a role that meets certain requirements—such as developers, architects, acquisitions/procurement, integrators, administrators, engineers and security personnel.
People in these roles may take an hour or two of annual security awareness training, and then an additional day or half-day of role-based training. The point here is that the training is specific to how you do your job. So, if you are a Windows systems admin, you would want to take training related to Windows. If you're a network admin, you're taking some Cisco or Juniper training.
Invest in a Learning Management System to simplify assigning and tracking training
Because of the difficulty and challenges of coming up with enough training content, you may need to invest in a Learning Management System (LMS).
We’ve seen companies try to conduct security training by requiring employees to watch webinars. However, webinars typically don’t provide a certificate of completion … or any kind of monitoring of how long the person actually watched.
An LMS ensures you're maintaining copies of course completions, certificates, records of training, and a ledger if needed or required by your contract. Speaking of contractual requirements, you always want to check with your contracting officer or the contracting officer representative, to make sure that they don't have anything extra.
3.2.3 Insider Threats
3.2.3.: Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Again, it seems straightforward. The problem is that we haven't seen how the CMMC auditors are going to evaluate this one. So, if we go the easy way of checking a box, it may not be sufficient.
Instead, hedge your bets by following some best practices.
The best way to deliver security awareness training on indicators of insider threats is to create an insider-threat program. Just know, however, a comprehensive program can be time consuming. You may be able to remove some threats from your list (like a physical office if your company is 100% virtual), but this type of program still requires involvement from all of your departments, because insider threats are a company wide problem.
Procure security tools
An alternative to developing an insider-threat program is to invest in some tools, such as intrusion detection and prevention, as well as log aggregators or sims. These are ways to ingest logs and send your data through tools that block much of the malicious content automatically.
Then, your security operations center analysts review the logs producing alerts, and look for indicators of compromise.
Keep in mind that security tools do collect information on users, up to and including their behaviors, what they're doing on their workstations, what websites they're going to, the amount of time they're spending working versus looking at webpages, and so on. These types of security measures are not always well taken by employees and can give a negative impact on trust and morale, so organizations must step carefully and keep cybersecurity—not employee surveillance—the primary goal.
Train employees how to spot insider threat behaviors
Not every grumbling coworker is a security risk, but there are certain behaviors that can indicate an increased chance of something going awry. Whether it’s a cash-strapped employee being tempted to divert funds or sell information, a violent, disgruntled employee out to do some damage, or just a recently dumped staffer who was distracted and forgot to lock his laptop, many threats can be spotted by the people closest to them—other employees.
There are exponentially more high-risk indicator behaviors than the ones listed above, but the key to spotting them is conducting two types of training:
The first training is for base users. It essentially says, "If you see these types of behaviors (social engineering; etc), here's who you should report it to." This person could be a line manager or their first manager in their chain of command, or an anonymous hotline.
The second training is for line managers, on how to deal with warning signs when they spot them. Line managers have more information on users (performance reviews and things like that). Line managers must also know how to protect employee privacy and involve HR when needed to ensure alignment with laws and/or corporate policies.
<<Worried about cybersecurity? Ntiva can help!>>
3.9 Personnel Security
3.9.1.: Screen individuals prior to authorizing access to Controlled Unclassified Information (CUI).
Organizations typically look at this as an HR activity to conduct before employees are hired—a step that involves background checks, drug tests and so on.
The key is to watch employee conduct after onboarding. Look at their integrity, their judgment, their loyalty, their stability. If you have someone who tells small, inconsequential lies fairly often, most people might just overlook that. But, will that person tell the truth if they commit a security incident, even if that incident was accidental or unintentional? Examine their behavior to see their track record for integrity and honesty, so that you can gauge likeliness to be truthful later.
Additionally, make sure you're vetting your CUI-access screening process to ensure you're meeting local, state and federal guidelines, as well as any contractual obligations.
3.9.2 Terminations and Transfers
3.9.2.: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Speaking of CUI, it must be protected during and after personnel actions, such as terminations and transfers, with a proper onboarding and offboarding process.
Organizations often tend to focus on the onboarding piece more than offboarding because as they onboard people and as their systems grow, access grows. People can't do the work they need to do without good onboarding.
But when you offboard an employee, that tends to be a little less scrutinized. Many employers focus solely on equipment returned and accounts disabled, but have no idea of the full scope of accounts they had, the locations they worked from, their shared access and more.
Pay special attention to transfers
This also occurs when employees move from position to position. If they stay within the same job family, a project manager becoming a senior project manager, for instance, there's no change. But if a project manager becomes a system admin, they should be giving up certain permissions and gaining others.
Here are some other steps to take:
Ensure the proper return of corporate- or government-supplied equipment and peripherals (like badges and keys).
Remove access. Remove access to all systems, applications and especially data repositories, since these repositories contain CUI in most cases.
Disable accounts. It's one thing to remove an account, it's another thing not to disable or delete it, where someone could still access it or someone else could use that account to sabotage you.
Perform exit interviews. It's unlikely that if they're too disgruntled they'll give you all the reasons why, but any information you can glean from these meetings can help you improve your security posture.
Document everything. Most importantly, make sure your process is documented and you have evidence you're following it. As we've seen with all of the CMMC controls, it's one thing to have a tool, solution, technology and a plan in place, but if an auditor comes in and says, "Show me your onboarding and offboarding process," you must be prepared with up-to-date documentation. If you have to dust off an electronic doc, can't provide proof of process adoption, or if your evidence is more than 90 days old, your auditor might think your situation is as bad as if you didn’t have a process at all.
Attaining CMMC is a long haul. It’s time consuming and labor intensive. But it’s worth it. The first step toward passing an audit is having documentation that proves you are doing what is required.
If you need to close your IT security gaps, consider Ntiva’s Managed Cybersecurity Services.