This article outlines CMMC 2.0 and to what extent Phin can help partners meet its SAT requirements.
What is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) was created by the U.S. Department of Defense (DoD) to set cybersecurity standards for companies working with them. CMMC has three levels of security requirements, with each level building on the previous one. Companies need to reach certain levels to qualify for DoD contracts.
For companies at levels 2 and 3, CMMC requires intermediate cybersecurity measures, which include making sure all employees are aware of security risks and best practices. That's where Phin Security can help; however, security awareness training is just one small part of a much larger picture when it comes to meeting the CMMC.
So How Can Phin Security Help Partners Meet CMMC 2.0 Security Awareness Training Requirements?
The "black-and-white" answer is we really can't. The "grayer area" answer is that Phin Security can help you meet some of CMMC's security awareness and training requirements. However, meeting CMMC requires companies to go far beyond general security awareness training and combine it with organization-specific, role-based awareness, training, and policies that address the company's job roles, industry standards, and internal systems.
Annual Security Awareness Training ✅
Annual security awareness doesn't mean the training needs to be delivered all at once, one time a year. It refers to providing training to employees at least once a year, but an effective way of doing this is to split up the training over the course of a year in monthly or weekly chunks (which is easy to do with Phin's campaign scheduling) to keep cybersecurity best practices and potential threats top of mind all year round. Employees must be trained at their initial hire, annually after that, and if training materials have changed based on a change in the threat landscape.
Policy Distribution ✅ but not Policy Change Management 🚧
Use our policy distribution tool to make sure employees never miss policies that pertain specifically to the company and their respective job roles. That said, Phin Security doesn't currently help partners navigate the process of defining, creating, reviewing, and tracking change management of policies, which is a necessary and important part of the policy process for CMMC.
Risk-Focused Training 🚧
Include training on risk assessment, management, and reduction. This is especially important for employees handling sensitive government data (CUI), as they need to understand how to protect against both accidental and intentional insider threats. The Phin training library contains training courses covering insider threats but does not include training on the handling of confidential unclassified information (CUI). If you are serious about CUI training, here are some free training resources to help you get started.
Role-Based Training ✅
Offer specialized cybersecurity training for technical employees that focuses on more complex security topics. This training goes beyond the basics and covers technical security practices. Phin's training curriculum, Security For Developers: OWASP's Top 10, is geared at educating developers on security best practices they can implement in their development process. To reinforce this training, create and distribute policies applicable to code development practices at your company. We also offer prebuilt curriculums that are focused on cyber security training for people in different roles, for example, sales vs administrative staff.
- Our prebuilt curriculums may or may not meet the need for role-based training for your organization in the eyes of a CMMC audit.
Phishing & Smishing Simulation ✅
With the majority of cybersecurity-related crimes still being initiated through the use of phishing attacks, having a phishing simulation program to test employees' susceptibility to these attacks has never been more important. Using the Phishing Campaign tools at Phin Security, you can distribute, track, and report on the effectiveness of your workforce's ability to spot and report threats in their inbox. This, however, is NOT considered penetration testing, which is a requirement of levels 2 & 3.
Reporting ✅
Keep detailed records of your training activities, including dates, content covered, attendance, evaluation results, and feedback. This documentation is essential for showing compliance during a CMMC audit. Phin's reporting and analytics toolset may help facilitate your organization's ability to show a record of users' training throughout the year.
What Does CMMC Require for Security Awareness Training?
To meet level 2 of the CMMC requirements, DoD contractors must have an SAT program that meets requirements in the following areas:
Full Requirements Listed Here
AT.L2-3.2.1 Role-Based Risk Awareness
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
AT.L2-3.2.2 Role-Based Risk Training
Ensure that personnel are trained to carry out their assigned information (CUI) security-related duties and responsibilities.
AT.L2-3.2.3 Insider Threat Awareness
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
AT.L3-3.2.1E Advanced Threat Awareness (PTA)
Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
AT.L3-3.2.2E Practical Training Exercises
Include practical exercises in awareness training for all users, tailored by role to include general users, users with specialized roles, and privileged users. These exercises should be aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
Knowledge Base
Phin works to update our Knowledge Base with new features with every release. You can read about the platform and its updates here: https://www.phinsec.io/knowledge.
Thanks for using our product!
We use all provided feedback to help drive Phin's development direction. Please keep reaching out and helping us shape the product's future! All ideas are welcome; please keep them coming!
The Dev Team @ Phin
Need help or have an idea for us? Click here!