The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The second of the 14 Families of Requirements for NIST 800-171 compliance is awareness and training.
What is Awareness and Training in Terms of NIST 800-171?
Awareness and training consists of all the activities that include both formal and informal information sharing, techniques, mechanisms, and tools, to help individuals within an organization understand expectations they are expected to follow when performing their assigned duties.
Employees need to complete regularly scheduled, role-based cybersecurity awareness training and be educated on applicable policies, standards, and procedures. People are the first line of security defense and simultaneously the greatest culprit of inappropriate information access. Users need to be educated on the following, as applied to networks and data:
- Security best practices
- Security risks
- How to identify and handle security incidents
It is required for all employees to complete a dedicated annual cybersecurity awareness training. Some in specialized roles may also need additional training and certifications. This training is designed to improve employee awareness, knowledge and actions related to information security. The goal of the training is to achieve 100% completion (at least once every 365 days) by all users leveraging knowledge gained as a result of the course to mitigate vulnerabilities. Awareness and training consists of 2 Basic Requirements and 1 Derived Requirement.
Basic Requirements:
- 3.2.1 Ensure personnel is aware of risks and safeguards associated with their duties.
- 3.2.2 Ensure personnel is trained and able to carry out security responsibilities.
Derived Requirement:
- 3.2.3 Train personnel on how to recognize and respond to insider threats.
Some reputable vendors for assistance in implementing awareness and training are: Phin Security, KnowBe4, and Interpro IQ. For a guide on training and security awareness programs check out SP 800-50. To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC.
NeQter Labs can assist you with building the foundation for your cyber security and compliance program. By combining SIEM, vulnerability scanning, inventory and documentation into a single platform, NeQter allows you to get a jump start on your DFARS-7012/NIST 800-171/CMMC compliance project. Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here. Keep up with our latest content by following NeQter Labs on Twitter, Facebook, LinkedIn, and Youtube.