Skip to main content
NetStable
Level 2 AT.L2-3.2.3

Provide security awareness training on recognizing and reporting potential indicators of insider threat

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to train their employees to recognize and report potential signs of insider threats. Insider threats can come from employees, contractors, or business partners who may intentionally or unintentionally harm the organization's security. Training should cover behaviors like unusual access requests, data exfiltration attempts, or unauthorized use of sensitive information. For example, an employee downloading large amounts of data late at night or accessing systems outside their job role could be indicators. The goal is to empower staff to spot these signs early and report them to the appropriate security team.

🎯 Why It Matters

Insider threats are a significant risk because trusted individuals already have access to sensitive systems and data. According to the 2022 Verizon Data Breach Investigations Report, 22% of breaches involved internal actors. The cost of insider threats can be severe, averaging $15.38 million per incident in 2022 (Ponemon Institute). For DoD contractors, insider threats can compromise Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), leading to loss of contracts, legal penalties, and reputational damage. CMMC emphasizes this control to mitigate risks from both malicious insiders and negligent employees.

How to Implement

  1. 1. Use cloud-based training platforms like KnowBe4 or Proofpoint Security Awareness Training.
  2. 2. Integrate training with Azure Active Directory or AWS IAM to ensure all users complete the program.
  3. 3. Deploy phishing simulation tools like Microsoft Defender for Office 365 to test employee awareness.
  4. 4. Use cloud-native logging tools (e.g., AWS CloudTrail, Azure Monitor) to track training completion.
  5. 5. Automate reminders for annual refresher training using tools like Okta Workflows.
  6. 6. Include insider threat scenarios specific to cloud environments, such as unauthorized access to S3 buckets.
  7. 7. Store training records in a secure cloud repository with access controls.
⏱️
Estimated Effort
Initial setup: 8-12 hours (mid-level IT skills). Ongoing: 2-4 hours annually per employee for training and record-keeping.

📋 Evidence Examples

Training Curriculum

Format: PDF/DOCX
Frequency: Annually or when updated.
Contents: Outline of topics covered, including insider threat indicators and reporting procedures.
Collection: Export from LMS or training platform.

Training Completion Records

Format: CSV/Excel
Frequency: Quarterly.
Contents: Employee names, completion dates, and scores.
Collection: Export from LMS or training platform.

Phishing Simulation Results

Format: PDF
Frequency: Quarterly.
Contents: Summary of test results, including click rates and reporting rates.
Collection: Export from phishing simulation tool.

Policy Document

Format: PDF
Frequency: Annually or when updated.
Contents: Written policy on insider threat recognition and reporting.
Collection: Store in document management system.

Incident Reports

Format: PDF
Frequency: As needed.
Contents: Documented reports of suspected insider threats.
Collection: Generate from incident management system.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AT.L2-3.2.3 ("Provide security awareness training on recognizing and reporting potential indicators of insider threat"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your security awareness and training program, including the platform used, training content, frequency, tracking mechanism, and how completion is enforced. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AT.L2-3.2.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to provide security awareness training on recognizing and reporting potential indic.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AT.L2-3.2.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to provide security awareness training on recognizing and reporting potential indic.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AT.L2-3.2.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify which personnel categories receive training (employees, contractors, vendors)
  • Document training delivery mechanism (online platform, in-person)
  • Specify how training records are maintained
  • Ensure this control covers all systems within your defined CUI boundary where provide security awareness training on recognizing and reporting potential indicators of insider threat applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Security Awareness Training Policy
  • 📄 Training completion records
  • 📄 Training materials and curriculum
  • 📄 Evidence artifacts specific to AT.L2-3.2.3
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review training completion rates, examine training content for adequacy, and verify that training records are maintained with dates and scores.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Has your organization developed an insider threat awareness training program?

✅ YES → Proceed to Q2.
❌ NO → GAP: Develop a training program using NIST or SANS resources. Timeline: 2 weeks.

Question 2: Are all employees required to complete the training annually?

✅ YES → Proceed to Q3.
❌ NO → GAP: Implement mandatory training via LMS. Timeline: 1 month.

Question 3: Does the training include specific examples of insider threat indicators?

✅ YES → Proceed to Q4.
❌ NO → GAP: Update training content with real-world scenarios. Timeline: 2 weeks.

Question 4: Are phishing simulations conducted to test employee awareness?

✅ YES → Proceed to Q5.
❌ NO → GAP: Deploy phishing simulation tools like GoPhish. Timeline: 1 month.

Question 5: Are training completion records maintained and accessible for audits?

✅ YES → Compliance confirmed.
❌ NO → GAP: Centralize records in a secure database. Timeline: 2 weeks.

⚠️ Common Mistakes (What Auditors Flag)

1. Training content is outdated.

Why this happens: Failure to update materials annually.
How to avoid: Schedule annual reviews and incorporate new threat intelligence.

2. Training records are incomplete.

Why this happens: Lack of centralized tracking.
How to avoid: Use an LMS to automate record-keeping.

3. Employees don't recognize insider threat indicators.

Why this happens: Training lacks practical examples.
How to avoid: Include real-world scenarios and case studies.

4. Phishing simulations are not conducted.

Why this happens: Resource constraints or oversight.
How to avoid: Use open-source tools like GoPhish for cost-effective testing.

5. Training is not role-specific.

Why this happens: Generic content used for all employees.
How to avoid: Tailor training to different job roles and access levels.

📚 Parent Policy

This practice is governed by the Awareness and Training Policy

View AT Policy →

📚 Related Controls

AT.L2-3.2.1 - Provide security awareness training AT.L2-3.2.2 - Provide role-based security training IR.L2-3.6.1 - Establish an incident response capability
Previous
AT.L2-3.2.2
Back to AT
Next
AU.L2-3.3.1