Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
(a) As part of initial training for new users;
(b) When required by information system changes; and
(c) [FedRAMP Assignment: (L)(M)(H) at least annually] thereafter.
NIST 800-53 (r4) Supplemental Guidance:
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.
References: None
NIST 800-53 (r5) Discussion:
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.
Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
38North Guidance:
Meets Minimum Requirement:
Provides security awareness training to new users initially, on an annual basis, and when needed due to information system changes. The training contains information on how users should respond to/report suspected security incidents.
Free options that can be used to meet the AT-2 requirement:
https://public.cyber.mil/training/cyber-awareness-challenge/
https://securityawareness.usalearning.gov/awarenessrefresher/story.html
PowerPoint and a signed acknowledgment
Best Practice:
The security awareness training is updated regularly
Security awareness techniques are sent to users throughout the year as needed to promote awareness about relevant threats (ex: sending an email blast about tips for teleworking during the pandemic)
Enhanced and adapted from recent audit findings, security incidents, and other lessons learned
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Security awareness training curriculum provided to users (ex: print out of the module from an LMS, PowerPoints, email blasts, etc.)
Training records showing that users have completed the initial training and training on an annual basis
Audit log of reviews and updates of the Annual Training policies and procedures
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse