A customer sent me the following observation which is something I have been trying to get across for the last 10 years: "I found this interesting – and potentially disconcerting. This will only take a minute for a man like you to get through to understand the point:
To begin with, very recently I had to get myself significantly more knowledgeable with various federal cybersecurity guidelines – mostly NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).
Part of this endeavor also included becoming more familiar with the compliance requirements of the upcoming Department of Defense’s ‘Cybersecurity Maturity Model Certification’ (aka CMMC).
In February 2020 NIST revised 800-171. Under the ‘Awareness and Training’ domain (AT 3.2), are the following requirements:
- 3.2.1 - Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
- 3.2.2 - Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
- 3.2.3 - Provide security awareness training on recognizing and reporting potential indicators of insider threat.
These requirements are also repeated verbatim for CMMC level 3 (although with different numerical identifiers). Level 3 is likely to be the contractual standard any organization doing any substantive work for the Department of Defense will have to meet within the next few years
- AT.2.056 - Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
- AT.2.057 - Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
- AT.2.058 - Provide security awareness training on recognizing and reporting potential indicators of insider threat.
This info led me to search for the information on ‘well, how often must this awareness and training be conducted?’
According to both 800-171 and CMMC (which essentially follows the requirements of 800-171 the answer seems to be:
- Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access.
So it does not appear that any firm minimum standard has been set in re frequency of awareness and training goes. It certainly seems to me that organizations can determine the frequency of their security awareness training.
Thus far the only guidance I can see as it relates to frequency comes from the NIST Self-assessment Handbook (2017) (NIST Handbook 162). I would imagine any manager or security person in an organization would wind up in this same place if they went looking for an answer:
- 3.2.1 - Do all users, managers, and system administrators receive initial and annual training commensurate with their roles and responsibilities?
- 3.2.2 - Do employees with security-related duties and responsibilities receive initial and annual training on their operational, managerial, and technical roles and responsibilities?
- 3.2.23 - Do users, managers, and system administrators receive annual training on potential indicators and possible precursors of insider threat, e.g., long-term job dissatisfaction, attempts to gain unauthorized access to information, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of company policies?
I find it quite disconcerting that with all that is going on, and with all that we know about how annual training just doesn’t cut it, neither the revised 800-171 or the current CMMC guidelines apparently suggest anything more than initial and annual training. The very model which is failing us right now, and which has been failing us for decades."
We have come to the same conclusion, and that's why for a few years now we have been asking all regulators to add the following 5 (bold) words after any requirement for security awareness training with frequent social engineering tests. I recently testified before congress, asking that very same thing.
We all know that compliance and security are not the same thing and only have a limited overlap. If you are looking for a tool that allows you to get through compliance audits in half the time at half the cost have a look at KnowBe4's GRC platform.