Skip to main content
NetStable
🎓 3 Practices NIST 3.2.1 - 3.2.3

Security Awareness and Training Policy

Awareness and Training Domain (AT)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Awareness and Training ensures your people are your first line of defense rather than your weakest link. This policy covers security awareness training for all personnel (phishing, passwords, CUI handling, incident reporting), role-based training (IT admins: privileged access, secure config; developers: OWASP Top 10; CISO team: advanced threats, forensics; HR: insider threats, termination), insider threat awareness (behavioral and technical indicators, reporting mechanisms), phishing simulations (monthly/quarterly campaigns, metrics tracking, remedial training), and training records management and compliance tracking.

Purpose

This policy ensures all employees receive security awareness training, role-specific training is provided for security-sensitive positions, insider threat awareness is part of the training program, and training completion is tracked and enforced.

Scope

Applies to all employees, contractors, and vendors accessing organizational systems. Covers general security awareness, role-based technical training, insider threat awareness, and phishing simulation programs.

🎯 Why It Matters

Human error causes 74% of data breaches (Verizon DBIR 2023). The most sophisticated technical controls can be bypassed by a single phishing click. Assessors check training completion rates -- if your employees haven't completed training, you have a finding. Phishing simulation results demonstrate whether your training is actually effective. This is also one of the quickest domains to implement since it doesn't require technical infrastructure.

🔐 Key Requirements

1. Security Awareness Training

AT.L1-3.2.1 AT.L2-3.2.2

Mandatory security training for all personnel.

  • Initial training within 30 days of hire/contract start
  • Annual refresher every 12 months
  • Ad-hoc training after major incidents or new threats
  • Topics: password security, phishing recognition, physical security, CUI handling, incident reporting, social engineering, mobile device security, acceptable use
  • Online platform (KnowBe4, Proofpoint, SANS) with quiz (80% pass rate required)
  • 100% completion target within 30 days of due date
  • HR tracks completion and sends reminders for overdue training

2. Role-Based Security Training

AT.L2-3.2.3

Specialized training for personnel with security-sensitive roles.

  • IT Admins: privileged access management, secure configuration (CIS/STIG), patch management, incident response
  • Developers: secure coding (OWASP Top 10), input validation, authentication/authorization, secure SDLC
  • CISO/Security Team: advanced threats, forensics, compliance frameworks (CMMC, NIST 800-171), conferences and certifications
  • HR: personnel screening, insider threat indicators, termination procedures
  • Initial + annual for all roles, continuous for security team

3. Insider Threat Awareness

AT.L2-3.2.3

Train all personnel to recognize and report insider threat indicators.

  • Behavioral indicators: disgruntled employees, policy violations, substance abuse
  • Technical indicators: unusual data downloads, after-hours access, failed privilege escalation
  • Physical indicators: tailgating, unauthorized access attempts
  • Reporting: anonymous hotline, email to [email protected], report to manager or HR
  • All reports investigated by IT Security + HR
  • Annual insider threat awareness module

4. Phishing Awareness & Simulation

AT.L1-3.2.1

Regular phishing simulations to test and improve awareness.

  • Monthly or quarterly simulated phishing campaigns
  • Platform: KnowBe4, Cofense, Proofpoint
  • Metrics: click rate (target <5%), report rate (target >60%)
  • Clickers: required remedial training within 7 days
  • Track improvement over time

5. Training Records

AT.L1-3.2.1

Documentation and retention of all training activities.

  • Completion records: who, what, when, score
  • Training materials archived (slides, videos)
  • Attendance rosters for in-person sessions
  • Acknowledgment/policy acceptance forms
  • Retention: duration of employment + 3 years
  • Quarterly compliance review, escalate non-compliant users to managers

👥 Roles & Responsibilities

CISO / Training Coordinator

  • Define training curriculum and requirements
  • Select and manage training platform
  • Review training metrics and phishing results
  • Approve role-based training programs

HR Department

  • Track training completion in HR system
  • Send reminders for overdue training
  • Escalate non-compliance to managers
  • Coordinate new hire training enrollment

Managers

  • Ensure direct reports complete training on time
  • Identify role-based training needs for team members
  • Follow up on non-compliance escalations

All Employees

  • Complete assigned training within required timeframes
  • Report suspected phishing emails
  • Apply security awareness in daily work
  • Report insider threat indicators

🛠️ Implementation Roadmap (6 Weeks)

1

Platform & Content

Weeks 1-2
  • Select training platform (KnowBe4, SANS, Proofpoint)
  • Configure training modules: general awareness, CUI handling, phishing
  • Create role-based training tracks
  • Integrate with HR system for enrollment automation
2

Initial Rollout

Weeks 3-4
  • Deploy initial training to all employees
  • Track completion daily, send reminders
  • Escalate non-compliance after 14 days to managers
  • Conduct in-person orientation for CUI-specific handling (if needed)
3

Phishing Simulation

Weeks 5-6
  • Launch first phishing simulation campaign
  • Analyze results: click rate, report rate, by department
  • Deploy remedial training for clickers
  • Establish quarterly simulation schedule
  • Create executive summary report template

Recommended Tools

KnowBe4 / Proofpoint / SANS Security Awareness (training platform)Cofense (phishing simulation)HR system (BambooHR, Workday) for trackingMicrosoft 365 / Google Workspace (phishing report button)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
AT.L1-3.2.1 Ensure personnel are trained 1, 4, 5
AT.L2-3.2.2 Provide security awareness training 1
AT.L2-3.2.3 Provide role-based security training 2, 3

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Training Completion Report

Format: Excel/PDF
Frequency: Monthly
Contents: % employees trained by training type, overdue list, completion trends
Tip: Target 100% completion. Show trend data -- completion rate should stay consistently high.

Training Materials

Format: PDF/Video links
Frequency: Annual review/update
Contents: Slides, videos, and quiz questions for each training module
Tip: Keep materials current. Update annually to reflect new threats (e.g., AI-powered phishing).

Phishing Simulation Results

Format: PDF
Frequency: Per campaign (monthly/quarterly)
Contents: Click rates, report rates, trends over time, department breakdown, remedial training completion
Tip: Show improvement over time. If click rates aren't decreasing, adjust your training content.

Role-Based Training Records

Format: Excel
Frequency: Annual
Contents: IT admins, developers, CISO team -- specialized training completed with dates and certifications
Tip: Include external certifications (CISSP, OSCP, Security+) and conference attendance.

Training Acknowledgment Forms

Format: PDF (signed)
Frequency: Annual, plus new hire
Contents: Signed attestations that employees received and understood security policies
Tip: Use digital signatures (DocuSign) for scalability. Include date signed.

⚠️ Common Gaps (What Assessors Flag)

1. Training exists but not tracked

Why this happens: Training is informal -- a meeting or email, but no completion tracking.
How to close the gap: Deploy a training platform with automated tracking (KnowBe4 has a free tier). Require quiz completion to count as 'trained'.

2. No role-based training

Why this happens: Everyone gets the same generic training. IT admins don't get specialized content.
How to close the gap: Create role-based training tracks. IT admins: CIS Benchmark training. Developers: OWASP Top 10 course. Start with free resources (SANS webcasts, OWASP guides).

3. No phishing simulations

Why this happens: Considered 'mean' or too punitive. Concern about employee morale.
How to close the gap: Frame as educational, not punitive. Start with easy simulations and gradually increase difficulty. Share results at a team level, not individual. Use it as a teaching moment.

4. Contractors/vendors not included in training

Why this happens: Training program only covers internal employees.
How to close the gap: Require training completion as a condition of contractor onboarding. Use your training platform to provision contractor accounts.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO or HR Director

Example: Jane Smith

[1-800-XXX-XXXX]

Anonymous insider threat reporting hotline

Example: 1-800-555-0199

Customization Tips

  • 💡 Specify your training platform by name and how users access it
  • 💡 Adjust the 80% quiz pass rate if your organization requires a different threshold
  • 💡 If you don't have budget for a commercial platform, free resources exist (CISA cybersecurity training, SANS webcasts)
  • 💡 Include your specific phishing simulation schedule and who receives the results

📚 Related Policies

Access Control Policy Incident Response Policy Personnel Security Policy
Previous
AC Policy
All Policies
Next
AU Policy