This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization includes practical exercises in security training that reinforce training objectives.
NIST 800-53 (r4) Supplemental Guidance:
Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes.
References: None.
NIST 800-53 (r5) Discussion:
Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying and processing personally identifiable information in various scenarios or scenarios on conducting privacy impact assessments.
38North Guidance:
Meets Minimum Requirement:
Conducting practical exercises such as having a phishing test performed on employees, or utilizing a learning management system (LMS) for security training that includes quizzes at the end of the modules to test the user's knowledge or interactive modules, etc.
Best Practice:
Individuals that fail or do not perform well during the practical exercises should be required to review/retake any applicable security trainings
Individuals that successfully report simulated or real phishing campaigns will result in a positive notification
Practical exercises should be tailored to the audience and take into account background knowledge
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Evidence showing that exercises are performed, such as phishing test results, examples of quizzes that are displayed at the end of training modules in an LMS, etc.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD