Ensure that personnel are trained to carry out their assigned information security-related duties
📖 What This Means
This practice means that every employee, contractor, or anyone else working for your organization must be properly trained to perform their specific security-related tasks. This ensures they understand how to protect sensitive information like Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Training should be tailored to their job responsibilities and cover relevant security policies and procedures. For example, an IT administrator should know how to secure systems, while a receptionist might need training on recognizing phishing emails. The goal is to minimize human error, which is a leading cause of security breaches.
🎯 Why It Matters
Untrained personnel are a significant security risk. They may accidentally expose sensitive data, fall for phishing scams, or mishandle security tools. For instance, in 2023, a defense contractor suffered a breach when an employee clicked on a phishing link, leading to the theft of CUI. The financial impact included fines, legal fees, and loss of contracts, while reputational damage made it harder to win future bids. The Department of Defense (DoD) emphasizes this control because human error is often the weakest link in cybersecurity. Proper training reduces risks, ensures compliance, and protects both the organization and national security.
✅ How to Implement
- 1. Identify cloud-specific security roles (e.g., AWS IAM administrator, Azure security analyst).
- 2. Use cloud provider training resources (e.g., AWS Training, Microsoft Learn).
- 3. Assign role-based training modules via platforms like Coursera or Pluralsight.
- 4. Conduct phishing simulations using tools like KnowBe4 or Proofpoint.
- 5. Track completion using cloud-native tools like AWS CloudTrail or Azure Activity Log.
- 6. Schedule annual refresher training.
- 7. Document training records in cloud storage (e.g., S3 bucket, OneDrive).
📋 Evidence Examples
Training Curriculum
Training Completion Records
Phishing Simulation Results
Security Policy Acknowledgment Forms
Training Attendance Logs
📝 SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For AT.L2-3.2.2 ("Ensure that personnel are trained to carry out their assigned information security-related duties"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your security awareness and training program, including the platform used, training content, frequency, tracking mechanism, and how completion is enforced. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"AT.L2-3.2.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to ensure that personnel are trained to carry out their assigned information securi.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"AT.L2-3.2.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to ensure that personnel are trained to carry out their assigned information securi.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"AT.L2-3.2.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- • Identify which personnel categories receive training (employees, contractors, vendors)
- • Document training delivery mechanism (online platform, in-person)
- • Specify how training records are maintained
- • Ensure this control covers all systems within your defined CUI boundary where ensure that personnel are trained to carry out their assigned information security-related duties applies
- • Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- 📄 Security Awareness Training Policy
- 📄 Training completion records
- 📄 Training materials and curriculum
- 📄 Evidence artifacts specific to AT.L2-3.2.2
- 📄 POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will review training completion rates, examine training content for adequacy, and verify that training records are maintained with dates and scores.
💬 Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do all employees have assigned security-related roles?
Question 2: Are role-specific training materials available?
Question 3: Have all employees completed their assigned training?
Question 4: Are training records maintained and up to date?
Question 5: Has phishing simulation testing been conducted?
⚠️ Common Mistakes (What Auditors Flag)
1. Incomplete training records
2. Generic training content
3. Infrequent phishing simulations
4. Missing policy acknowledgments
5. No refresher training
📚 Parent Policy
This practice is governed by the Awareness and Training Policy