Security Control Spotlight—Training

By Kathryn M. Daily, CISSP  BAI Information Security

In this issue we will shine the spotlight on the Awareness and Training (AT) family of security controls. We’ll show you how the controls dictate the types and frequencies of training that organizations must provide. You’ll also learn about the extent to which existing DoD publications provide system owners with “automatic compliance.”

Those familiar with DIACAP may recall there was a single control, PRTN-1 (entitled “Information Assurance Training”) in the Personnel area, that covered most aspects of training. Additionally, a control in the Physical and Environmental area, PETN-1, covered training on environmental controls.

With RMF, there are a total of 7 security controls and control enhancements in the AT family, to wit:

  • AT-1 Security Awareness and Training Policy and Procedures
  • AT-2 Security Awareness Training
  • AT-2(2) Security Awareness—Insider Threat
  • AT-3 Role-based Security Training
  • AT-3(2) Security Training—Physical Security Controls
  • AT-3(4) Security Training—Suspicious Communications and Anomalous System Behavior
  • AT-4 Security Training Records

It is interesting to note that all 7 of these controls are applicable to all system categorization levels.

The two most commonly-used overlays (Classified Information Overlay and Privacy Overlay) retain the same 7 Security Control Spotlight—Training By Kathryn M. Daily, CISSP controls/enhancements, however they also add some extensions and statutory references to these controls. For example, the Classified overlay extends the training requirement to include specific training on classified information handling and consequences of unauthorized disclosure.

These 7 security controls and control enhancements break down into a total of 29 Assessment Procedures (CCIs). And … big surprise! … 19 out of the 29 CCIs are considered “Automatically Compliant” by DoD, by virtue of the existence of DoD Directive 8570.01 (or it’s replacement, DoD Directive 8140).

That leaves the system owner with just these 10 CCIs to implement and document:

  • Refresher role-based training (CCIs 000109 and 000110)
  • Physical security controls training (CCIs 002051, 001566, 001567)
  • Malicious code training (CCIs 002054, 002054)
  • Training records (CCI 000113)
  • Monitoring individuals’ training (CCI 000114)
  • Retention of training records (CCI 001336)

The independent assessor is expected to carefully review the organization’s training records to ensure the procedures in the DoD publication (8570/8140) are being properly implemented.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.