Ensure that managers, systems administrators, and users are aware of security risks and their responsibilities
📖 What This Means
This practice requires that everyone in your organization—from managers to system administrators to regular users—understands the security risks they face and knows their responsibilities in protecting sensitive information. Think of it like a fire drill: everyone needs to know what to do to prevent a fire and how to respond if one starts. For example, managers should ensure their teams follow security protocols, system administrators should secure the systems they manage, and users should avoid clicking on suspicious links. This awareness helps prevent breaches, such as when an employee accidentally clicks on a phishing email, which could lead to unauthorized access to sensitive data.
🎯 Why It Matters
Uninformed employees are one of the biggest security risks. For instance, in 2023, 82% of breaches involved human error, including phishing attacks. If your team isn’t aware of security risks, they could inadvertently expose sensitive data, leading to financial losses, legal penalties, and damage to your reputation. From the DoD/CMMC perspective, this control ensures that defense contractors—who handle Controlled Unclassified Information (CUI)—are equipped to protect it. Ignoring this practice could result in failing a CMMC audit and losing DoD contracts.
✅ How to Implement
- 1. Use cloud-native training tools like AWS Security Awareness Training or Microsoft Security Awareness Training.
- 2. Automate phishing simulations using tools like KnowBe4 or Proofpoint.
- 3. Assign role-based training modules in your cloud platform (e.g., Azure Security Center).
- 4. Enable logging and reporting to track training completion in cloud dashboards.
- 5. Regularly update training content to address emerging cloud-specific threats.
📋 Evidence Examples
Training Completion Certificates
Phishing Simulation Results
Training Policy Document
Training Attendance Logs
Training Content Version History
📝 SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For AT.L2-3.2.1 ("Ensure that managers, systems administrators, and users are aware of security risks and their responsibilities"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your security awareness and training program, including the platform used, training content, frequency, tracking mechanism, and how completion is enforced. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"AT.L2-3.2.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to ensure that managers, systems administrators, and users are aware of security ri.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"AT.L2-3.2.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to ensure that managers, systems administrators, and users are aware of security ri.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"AT.L2-3.2.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- • Identify which personnel categories receive training (employees, contractors, vendors)
- • Document training delivery mechanism (online platform, in-person)
- • Specify how training records are maintained
- • Ensure this control covers all systems within your defined CUI boundary where ensure that managers, systems administrators, and users are aware of security risks and their responsibilities applies
- • Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- 📄 Security Awareness Training Policy
- 📄 Training completion records
- 📄 Training materials and curriculum
- 📄 Evidence artifacts specific to AT.L2-3.2.1
- 📄 POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will review training completion rates, examine training content for adequacy, and verify that training records are maintained with dates and scores.
💬 Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a documented security awareness training policy?
Question 2: Are all employees required to complete security awareness training annually?
Question 3: Are phishing simulations conducted at least quarterly?
Question 4: Are training records maintained for at least 3 years?
Question 5: Is role-specific training provided to system administrators and managers?
⚠️ Common Mistakes (What Auditors Flag)
1. Training records are incomplete or missing.
2. Phishing simulations are not conducted regularly.
3. Role-specific training is not provided.
4. Training content is outdated.
5. Training completion is not enforced.
📚 Parent Policy
This practice is governed by the Awareness and Training Policy